-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More properties for formal verification #256
Comments
Question: Property A.1 does not hold if the borrow rate is unreasonably high, or if the market has been inactive for an extended period of time. Is this intended? |
Thanks a lot for the detailed invariants, this is really helpful ! I'll try to verify as much as possible :) A.1
I think that the property holds for an atomic call because there are no accrued interests (the code snippet you wrote should work because it does not include time passing). If there can be a waiting period however, the fact that this property does not hold anymore is intended: as a borrower you should monitor your position and the potential increase of the borrow rate. A.2I don't think it holds, there should be some liquidations that make the position healthy. It should be the same setup as in Morpho yellow paper (see lemma 2.2.1 page 18 notably). For example, with a liquidation incentive of 1.1, a LLTV of 0.5, and a unhealthy position of 51 borrow (in value) with 100 collateral (in value), a liquidation repaying 10 (and seizing 1.1 * 10 = 11), will put that account ltv to 41 / 89 < 0.5. C.1I'm not sure that we necessarily want to verify that property. In particular, if we had a simple interest rate model, then compounding more often would lead to more interests accrued. It would only become problematic if the benefit of doing so makes it so the interest accrual would be called a lot, leading to gas inefficiencies overall. To mitigate that, we use an approximation of the perfect compouding model, so it should still not verify the C.1 property, but it should still be ok because it's very close. C.2Do we want to verify this property to make sure that liquidators do not have to call |
What do you mean by "atomic calls"? Most entrypoint calls invoke
The properties stem from the specific rounding directions used in the current implementation. So I figured they might be an implicit design decision made under the hood. Please feel free to ignore them if C1 and C2 are not intended, but you may want to consider other high-level properties that imply the correctness of the specific rounding directions chosen by the implementation. |
Oh ok you are right about A1, I assumed that the code snippet showed an interaction with Blue in the same transaction as another interaction (this is forge's default), and this is what I meant about "atomic calls". C1 and C2 were not intended but they are nice properties. I think that if we get close to those properties of a few WEI (let's say because of a rounding error), then weird behaviors are not incentivized and there should be no gas waste which should be enough |
You're right. Thanks for providing the pointer to it. I've added the condition for Property A.2, which essentially captures Lemma 2.2.1 in the Morpho yellow paper. I also added Property D.4, to capture the other aspect of the lemma. The updated Property A.2, along with the newly introduced Property D.4, are provided for the sake of completeness. But I'm not very confident that they can be verified by automated provers due to the complex arithmetic involved. In that case, you may want to utilize fuzz testing as much as possible. |
Thanks for the added invariants ! I think that one property that would be very interesting to prove is that the position stay healthy if it's LTV was lower than 1 / liquidation_incentive. This would ensure that our liquidation system has some breathing room to liquidate users before it leads to bad debt. I'm closing this issue because I'm opening a general issue about formal verification to keep track of what's left to do. See #390 |
EDIT by @QGarchery. Todo list:
A2 is omitted because it does not seem to hold. Path independence property are postponed to future work, and they also require accepting a small delta. D2 is already mentioned in #96, D3 is being considered as an improvement on D2.
END OF EDIT
In addition to the nice invariants in #96, these properties can be considered for formal verification:
Properties about healthiness
Property A.1
No Blue transaction, including liquidation calls, can cause a healthy position to become unhealthy. (In other words, only price changes occurring outside of Blue can result in a previously healthy position becoming unhealthy.)
For example, this property can be tested as follows:
Property A.2 [Updated: 8/18]
"Partial" liquidation cannot change an unhealthy position into a healthy one, if the LTV is greater than
1 / liquidation_incentive
.For example,
where:
High-level properties regarding rounding errors
Roundtrip properties
Roundtrip properties between supply() and withdraw():
Similarly, roundtrip properties between borrow() and repay():
For example, Property B.1.1 can be tested as follows:
Path independence properties
Property C.1
Path independence for
_accrueInterests()
:For example,
Property C.2
Path independence for
liquidate()
For example,
Properties about share prices
Property D.1
The price of both supply and borrow shares do not decrease after interest accruals.
For example,
Property D.2
More generally, the price of both supply and borrow shares do not decrease after any non-liquidation Blue transactions.
For example,
Property D.3
The share prices do not decrease after liquidation, as long as it wasn't a result of bad debt.
For example,
Property D.4 [Added 8/18]
The share prices do not decrease after liquidation, if the LTV is less than or equal to
1 / liquidation_incentive
.For example,
where
ultimatelyInsolvent()
is defined in Property A.2.The text was updated successfully, but these errors were encountered: