Merge pull request #23 from ergoplatform/i13-vuln-tests

Vulneraibility analysis of DEX limit order contracts

Author: greenhat

README.md

@@ -1,25 +1,36 @@
 # Ergo Contracts
+Source code of the Ergo smart contracts with compilation, testing, and formal verification tooling.
 
-## Prerequisites:
+# List of contracts:
+Certified(ErgoScala):
+- Assets Atomic Exchange [src](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L12-L70) , [verified properties](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L72-L141)
+- Crowd Funding [src](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/CrowdFundingContractVerification.scala#L10-L30), [verified properties](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/CrowdFundingContractVerification.scala#L32-L105)
+- ICO Funding [src](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/ICOContractVerification.scala#L9-L186), [verified properties](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/verified-contracts/src/main/scala/org/ergoplatform/contracts/ICOContractVerification.scala#L208-L279)
+
+ErgoScript:
+- DEX with limit orders and partial matching [src](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/contracts/src/main/scala/org/ergoplatform/contracts/DexLimitOrder.scala#L45-L315) [docs](https://github.com/ergoplatform/ergo-contracts/blob/19e23fde8c94a71eb8ca839c829e4efb4e4e63ac/contracts/src/main/scala/org/ergoplatform/contracts/DexLimitOrder.scala#L319-L397)
+
+## How to add a new certified contract
+Certified contracts are written in ErgoScala (a subset of Scala, compiled with [ErgoScala compiler](https://github.com/ergoplatform/ergo-scala-compiler)) and have their properties verified using formal verification with [Stainless](https://stainless.epfl.ch/).
+
+## Prerequisites for certified contracts:
 - Install Z3 SMT solver from https://github.com/Z3Prover/z3
 
-## How to add a new contract
-                
 ### Create a method for the contract
 Subclass `SigmaContract` in the `verified-contracts` project and put a contract code in a method. The first parameter has to be `ctx: Context`, and subsequent parameters may be contract parameters. The return value has to be `SigmaProp`. Make the first line of the contract code `import ctx._` to improve readability.
 
 ### Write contract code in the method.
 See [DEX buy order](http://github.com/ergoplatform/ergo-contracts/blob/71f1ef745b7ffce80272e7050a65ec4f68bfd661/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L12-L45) for an example.
 
-### Contract compilation
+### Contract compilation (ErgoScala)
 Create a subclass (object) of the class with contract code to make an "instance" method to compile the contract's code.
 It'll invoke the compiler (macros) and returns a compiled contract with embedded contract parameters. Create a method with parameters from the contract (without the `Context` parameter) and invoke `ErgoContractCompiler.compile`. See [DEX buy order](http://github.com/ergoplatform/ergo-contracts/blob/71f1ef745b7ffce80272e7050a65ec4f68bfd661/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L150-L158) for an example.
 Mark this method with `@ignore` annotation to hide it from Stainless. 
 
 ### How to use compiled contract
-Call the "instance" method in another module/project and it'll return 'ErgoContract'(compiled contract).
+Call the "instance" method in another module/project, and it'll return 'ErgoContract'(compiled contract).
 Call `ErgoContract.scalaFunc` to run the contract with given `Context`. See [DEX buy order](http://github.com/ergoplatform/ergo-contracts/blob/71f1ef745b7ffce80272e7050a65ec4f68bfd661/verified-contracts-test/src/test/scala/org/ergoplatform/contracts/tests/AssetsAtomicExchangeCompilationTest.scala#L319-L324) for an example.
 
 ### Verifying contract properties
-Verification is done using [Stainless](https://epfl-lara.github.io/stainless/verification.html). Create a subclass(object) of the class where you put contracts (as methods). Use a method for each property you want to verify. Put pre-conditions in `require()` call, call the contract and verify post-conditions. See [DEX buy order](http://github.com/ergoplatform/ergo-contracts/blob/71f1ef745b7ffce80272e7050a65ec4f68bfd661/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L90-L113) verified properties for an example.
+Verification is done using [Stainless](https://epfl-lara.github.io/stainless/verification.html). Create a subclass(object) of the class where you put contracts (as methods). Use a method for each property you want to verify. Put pre-conditions in `require()` call, call the contract, and verify post-conditions. See [DEX buy order](http://github.com/ergoplatform/ergo-contracts/blob/71f1ef745b7ffce80272e7050a65ec4f68bfd661/verified-contracts/src/main/scala/org/ergoplatform/contracts/AssetsAtomicExchange.scala#L90-L113) verified properties for an example.
 

contracts/src/main/scala/org/ergoplatform/contracts/DexLimitOrder.scala

@@ -57,6 +57,7 @@ private object DexLimitOrderErgoScript {
 
     val buyerScript = s"""buyerPk || {
 
+      // counter(sell) orders that are matched against this order
       val spendingSellOrders = INPUTS.filter { (b: Box) => 
         b.R4[Coll[Byte]].isDefined && b.R5[Long].isDefined && {
           val sellOrderTokenId = b.R4[Coll[Byte]].get
@@ -66,18 +67,24 @@ private object DexLimitOrderErgoScript {
         }
       }
 
+      // box with mine(bought) tokens
+      // check that such box is only one in outputs is later in the code
       val returnBoxes = OUTPUTS.filter { (b: Box) => 
         val referencesMe = b.R4[Coll[Byte]].isDefined && b.R4[Coll[Byte]].get == SELF.id 
         val canSpend = b.propositionBytes == buyerPk.propBytes
         referencesMe && canSpend      
       }
 
+      // check if this order should get the spread for a given counter order(height)
       val spreadIsMine = { (counterOrderBoxHeight: Int) => 
         // greater or equal since only a strict greater gives win in sell order contract
+        // Denys: we have to decide who gets the spread if height is equal, without any reason I chose buy order
         counterOrderBoxHeight >= SELF.creationInfo._1 
       }
 
-      val boxesAreSortedBySpread = { (boxes: Coll[Box]) => 
+      // check that counter(sell) orders are sorted by spread in INPUTS
+      // so that the bigger(top) spread will be "consumed" first
+      val sellOrderBoxesAreSortedBySpread = { (boxes: Coll[Box]) => 
         boxes.size > 0 && {
           val alledgedlyTopSpread = if (spreadIsMine(boxes(0).creationInfo._1)) { 
             tokenPrice - boxes(0).R5[Long].getOrElse(0L)
@@ -86,23 +93,28 @@ private object DexLimitOrderErgoScript {
             val prevSpread = t._1
             val isSorted = t._2
             val boxTokenPrice = box.R5[Long].getOrElse(0L)
+            val boxTokenPriceIsCorrect = boxTokenPrice > 0 && boxTokenPrice <= tokenPrice
             val spread = if (spreadIsMine(box.creationInfo._1)) { 
               tokenPrice - boxTokenPrice 
             } else { 0L }
-            (spread, isSorted && spread <= prevSpread)
+            (spread, isSorted && boxTokenPriceIsCorrect && spread <= prevSpread)
           })._2 
         }
       }
 
       returnBoxes.size == 1 && 
         spendingSellOrders.size > 0 && 
-        boxesAreSortedBySpread(spendingSellOrders) && {
+        sellOrderBoxesAreSortedBySpread(spendingSellOrders) && {
 
         val returnBox = returnBoxes(0)
+        // token amount that are bought
         val returnTokenAmount = if (returnBox.tokens.size == 1) returnBox.tokens(0)._2 else 0L
         
+        // DEX fee that we allow for matcher to take
         val expectedDexFee = dexFeePerToken * returnTokenAmount
         
+        // in case of partial matching new buy order box should be created with funds that are not matched in this tx
+        // check that there is only one such box is made later in the code
         val foundResidualOrderBoxes = OUTPUTS.filter { (b: Box) => 
           val tokenIdParamIsCorrect = b.R4[Coll[Byte]].isDefined && b.R4[Coll[Byte]].get == tokenId 
           val tokenPriceParamIsCorrect = b.R5[Long].isDefined && b.R5[Long].get == tokenPrice
@@ -114,15 +126,15 @@ private object DexLimitOrderErgoScript {
           contractParamsAreCorrect && referenceMe && guardedByTheSameContract
         }
 
+        // aggregated spread we get from all counter(sell) orders
         val fullSpread = {
           spendingSellOrders.fold((returnTokenAmount, 0L), { (t: (Long, Long), sellOrder: Box) => 
             val returnTokensLeft = t._1
             val accumulatedFullSpread = t._2
             val sellOrderTokenPrice = sellOrder.R5[Long].get
             val sellOrderTokenAmount = sellOrder.tokens(0)._2
-            val priceIsCorrect = sellOrderTokenPrice <= tokenPrice
             val tokenAmountFromThisOrder = min(returnTokensLeft, sellOrderTokenAmount)
-            if (spreadIsMine(sellOrder.creationInfo._1) && priceIsCorrect) {
+            if (spreadIsMine(sellOrder.creationInfo._1)) {
               // spread is ours
               val spreadPerToken = tokenPrice - sellOrderTokenPrice
               val sellOrderSpread = spreadPerToken * tokenAmountFromThisOrder
@@ -135,9 +147,13 @@ private object DexLimitOrderErgoScript {
           })._2
         }
 
+        // ERGs paid for the bought tokens
         val returnTokenValue = returnTokenAmount * tokenPrice
+        // branch for total matching (all ERGs are spent and correct amount of tokens is bought)
         val totalMatching = (SELF.value - expectedDexFee) == returnTokenValue && 
           returnBox.value >= fullSpread
+        // branch for partial matching, e.g. besides bought tokens we demand a new buy order with ERGs for 
+        // non-matched part of this order
         val partialMatching = {
           val correctResidualOrderBoxValue = (SELF.value - returnTokenValue - expectedDexFee)
           foundResidualOrderBoxes.size == 1 && 
@@ -178,18 +194,24 @@ private object DexLimitOrderErgoScript {
 
       val selfTokenAmount = SELF.tokens(0)._2
 
+      // box with ERGs(mine) for sold tokens
+      // check that such box is only one in outputs is later in the code
       val returnBoxes = OUTPUTS.filter { (b: Box) => 
         val referencesMe = b.R4[Coll[Byte]].isDefined && b.R4[Coll[Byte]].get == SELF.id
         val canSpend = b.propositionBytes == sellerPk.propBytes
         referencesMe && canSpend      
       }
 
+      // check if this order should get the spread for a given counter order(height)
       val spreadIsMine = { (counterOrderBoxHeight: Int) => 
         // strictly greater since equality gives win in buy order contract
+        // Denys: we have to decide who gets the spread if height is equal, without any reason I chose buy order
         counterOrderBoxHeight > SELF.creationInfo._1 
       }
 
-      val boxesAreSortedBySpread = { (boxes: Coll[Box]) => 
+      // check that counter(buy) orders are sorted by spread in INPUTS
+      // so that the bigger(top) spread will be "consumed" first
+      val buyOrderBoxesAreSortedBySpread = { (boxes: Coll[Box]) => 
         boxes.size > 0 && {
           val alledgedlyTopSpread = if (spreadIsMine(boxes(0).creationInfo._1)) { 
             boxes(0).R5[Long].getOrElse(0L) - tokenPrice 
@@ -198,12 +220,15 @@ private object DexLimitOrderErgoScript {
             val prevSpread = t._1
             val isSorted = t._2
             val boxTokenPrice = box.R5[Long].getOrElse(0L)
+            // although buy order's DEX fee is not used here, we check if its positive as a part of sanity check
+            val boxDexFeePerToken = box.R6[Long].getOrElse(0L)
             val spread = if (spreadIsMine(box.creationInfo._1)) { boxTokenPrice - tokenPrice } else { 0L }
-            (spread, isSorted && spread <= prevSpread)
+            (spread, isSorted && boxTokenPrice >= tokenPrice && boxDexFeePerToken > 0L && spread <= prevSpread)
           })._2 
         }
       }
 
+      // counter(buy) orders that are matched against this order
       val spendingBuyOrders = INPUTS.filter { (b: Box) => 
         b.R4[Coll[Byte]].isDefined && b.R5[Long].isDefined && b.R6[Long].isDefined && {
           val buyOrderTokenId = b.R4[Coll[Byte]].get
@@ -213,10 +238,12 @@ private object DexLimitOrderErgoScript {
 
       returnBoxes.size == 1 && 
         spendingBuyOrders.size > 0 && 
-        boxesAreSortedBySpread(spendingBuyOrders) && {
+        buyOrderBoxesAreSortedBySpread(spendingBuyOrders) && {
 
         val returnBox = returnBoxes(0)
 
+        // in case of partial matching new sell order box should be created with tokens that are not matched in this tx
+        // check that there is only one such box is made later in the code
         val foundResidualOrderBoxes = OUTPUTS.filter { (b: Box) => 
           val tokenIdParamIsCorrect = b.R4[Coll[Byte]].isDefined && b.R4[Coll[Byte]].get == tokenId 
           val tokenPriceParamIsCorrect = b.R5[Long].isDefined && b.R5[Long].get == tokenPrice
@@ -229,16 +256,16 @@ private object DexLimitOrderErgoScript {
           contractParamsAreCorrect && referenceMe && guardedByTheSameContract
         }
 
+        // aggregated spread we get from all counter(buy) orders
         val fullSpread = { (tokenAmount: Long) =>
           spendingBuyOrders.fold((tokenAmount, 0L), { (t: (Long, Long), buyOrder: Box) => 
             val returnTokensLeft = t._1
             val accumulatedFullSpread = t._2
             val buyOrderTokenPrice = buyOrder.R5[Long].get
             val buyOrderDexFeePerToken = buyOrder.R6[Long].get
-            val buyOrderTokenAmount = buyOrder.value / (buyOrderTokenPrice + buyOrderDexFeePerToken)
-            val priceIsCorrect = buyOrderTokenPrice >= tokenPrice
-            val tokenAmountInThisOrder = min(returnTokensLeft, buyOrderTokenAmount)
-            if (spreadIsMine(buyOrder.creationInfo._1) && priceIsCorrect) {
+            val buyOrderTokenAmountCapacity = buyOrder.value / (buyOrderTokenPrice + buyOrderDexFeePerToken)
+            val tokenAmountInThisOrder = min(returnTokensLeft, buyOrderTokenAmountCapacity)
+            if (spreadIsMine(buyOrder.creationInfo._1)) {
               // spread is ours
               val spreadPerToken = buyOrderTokenPrice - tokenPrice
               val buyOrderSpread = spreadPerToken * tokenAmountInThisOrder
@@ -251,25 +278,28 @@ private object DexLimitOrderErgoScript {
           })._2
         }
 
+        // branch for total matching (all tokens are sold and full amount ERGs received)
         val totalMatching = (returnBox.value == selfTokenAmount * tokenPrice + fullSpread(selfTokenAmount))
 
+        // branch for partial matching, e.g. besides received ERGs we demand a new buy order with tokens for 
+        // non-matched part of this order
         val partialMatching = {
           foundResidualOrderBoxes.size == 1 && {
-            val newOrderBox = foundResidualOrderBoxes(0)
-            val newOrderTokenData = newOrderBox.tokens(0)
-            val newOrderTokenAmount = newOrderTokenData._2
-            val soldTokenAmount = selfTokenAmount - newOrderTokenAmount
-            val minSoldTokenErgValue = soldTokenAmount * tokenPrice
+            val residualOrderBox = foundResidualOrderBoxes(0)
+            val residualOrderTokenData = residualOrderBox.tokens(0)
+            val residualOrderTokenAmount = residualOrderTokenData._2
+            val soldTokenAmount = selfTokenAmount - residualOrderTokenAmount
+            val soldTokenErgValue = soldTokenAmount * tokenPrice
             val expectedDexFee = dexFeePerToken * soldTokenAmount
 
-            val newOrderTokenId = newOrderTokenData._1
-            val tokenIdIsCorrect = newOrderTokenId == tokenId
+            val residualOrderTokenId = residualOrderTokenData._1
+            val tokenIdIsCorrect = residualOrderTokenId == tokenId
 
-            val newOrderValueIsCorrect = newOrderBox.value == (SELF.value - expectedDexFee)
-            val returnBoxValueIsCorrect = returnBox.value == minSoldTokenErgValue + fullSpread(soldTokenAmount)
+            val residualOrderValueIsCorrect = residualOrderBox.value == (SELF.value - expectedDexFee)
+            val returnBoxValueIsCorrect = returnBox.value == soldTokenErgValue + fullSpread(soldTokenAmount)
             tokenIdIsCorrect && 
               soldTokenAmount >= 1 && 
-              newOrderValueIsCorrect && 
+              residualOrderValueIsCorrect && 
               returnBoxValueIsCorrect
           }
         }
@@ -379,7 +409,7 @@ object DexLimitOrderContracts {
       tokenPrice <- ergoTree.constants.lift(8).collect {
                      case Values.ConstantNode(value, SLong) => value.asInstanceOf[Long]
                    }
-      dexFeePerToken <- ergoTree.constants.lift(20).collect {
+      dexFeePerToken <- ergoTree.constants.lift(22).collect {
                          case Values.ConstantNode(value, SLong) =>
                            value.asInstanceOf[Long]
                        }
@@ -398,7 +428,7 @@ object DexLimitOrderContracts {
       tokenPrice <- ergoTree.constants.lift(9).collect {
                      case Values.ConstantNode(value, SLong) => value.asInstanceOf[Long]
                    }
-      dexFeePerToken <- ergoTree.constants.lift(20).collect {
+      dexFeePerToken <- ergoTree.constants.lift(22).collect {
                          case Values.ConstantNode(value, SLong) =>
                            value.asInstanceOf[Long]
                        }