openzeppelin-contracts/certora/specs/Pausable.spec

import "helpers/helpers.spec"

methods {
    paused() returns (bool) envfree
    pause()
    unpause()
    onlyWhenPaused()
    onlyWhenNotPaused()
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Function correctness: _pause pauses the contract                                                                    │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule pause(env e) {
    require nonpayable(e);

    bool pausedBefore = paused();

    pause@withrevert(e);
    bool success = !lastReverted;

    bool pausedAfter = paused();

    // liveness
    assert success <=> !pausedBefore, "works if and only if the contract was not paused before";

    // effect
    assert success => pausedAfter, "contract must be paused after a successful call";
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Function correctness: _unpause unpauses the contract                                                                │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule unpause(env e) {
    require nonpayable(e);

    bool pausedBefore = paused();

    unpause@withrevert(e);
    bool success = !lastReverted;

    bool pausedAfter = paused();

    // liveness
    assert success <=> pausedBefore, "works if and only if the contract was paused before";

    // effect
    assert success => !pausedAfter, "contract must be unpaused after a successful call";
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Function correctness: whenPaused modifier can only be called if the contract is paused                              │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule whenPaused(env e) {
    require nonpayable(e);

    onlyWhenPaused@withrevert(e);
    assert !lastReverted <=> paused(), "works if and only if the contract is paused";
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Function correctness: whenNotPaused modifier can only be called if the contract is not paused                       │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule whenNotPaused(env e) {
    require nonpayable(e);

    onlyWhenNotPaused@withrevert(e);
    assert !lastReverted <=> !paused(), "works if and only if the contract is not paused";
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rules: only _pause and _unpause can change paused status                                                            │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule noPauseChange(env e) {
    method f;
    calldataarg args;

    bool pausedBefore = paused();
    f(e, args);
    bool pausedAfter = paused();

    assert pausedBefore != pausedAfter => (
        (!pausedAfter && f.selector == unpause().selector) ||
        (pausedAfter && f.selector == pause().selector)
    ), "contract's paused status can only be changed by _pause() or _unpause()";
}
Move certora helpers to a dedicated folder (#4211) 2 years ago			`import "helpers/helpers.spec"`
Add Pausable FV (#4117) Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com> 2 years ago
			`methods {`
			`paused() returns (bool) envfree`
			`pause()`
			`unpause()`
			`onlyWhenPaused()`
			`onlyWhenNotPaused()`
			`}`

			`/*`
			`┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐`
			`│ Function correctness: _pause pauses the contract │`
			`└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘`
			`*/`
			`rule pause(env e) {`
			`require nonpayable(e);`

			`bool pausedBefore = paused();`

			`pause@withrevert(e);`
			`bool success = !lastReverted;`

			`bool pausedAfter = paused();`
Move certora helpers to a dedicated folder (#4211) 2 years ago
Add Pausable FV (#4117) Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com> 2 years ago			`// liveness`
			`assert success <=> !pausedBefore, "works if and only if the contract was not paused before";`

			`// effect`
			`assert success => pausedAfter, "contract must be paused after a successful call";`
			`}`

			`/*`
			`┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐`
			`│ Function correctness: _unpause unpauses the contract │`
			`└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘`
			`*/`
			`rule unpause(env e) {`
			`require nonpayable(e);`

			`bool pausedBefore = paused();`

			`unpause@withrevert(e);`
			`bool success = !lastReverted;`

			`bool pausedAfter = paused();`
Move certora helpers to a dedicated folder (#4211) 2 years ago
Add Pausable FV (#4117) Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com> 2 years ago			`// liveness`
			`assert success <=> pausedBefore, "works if and only if the contract was paused before";`

			`// effect`
			`assert success => !pausedAfter, "contract must be unpaused after a successful call";`
			`}`

			`/*`
			`┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐`
			`│ Function correctness: whenPaused modifier can only be called if the contract is paused │`
			`└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘`
			`*/`
			`rule whenPaused(env e) {`
			`require nonpayable(e);`

			`onlyWhenPaused@withrevert(e);`
			`assert !lastReverted <=> paused(), "works if and only if the contract is paused";`
			`}`

			`/*`
			`┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐`
			`│ Function correctness: whenNotPaused modifier can only be called if the contract is not paused │`
			`└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘`
			`*/`
			`rule whenNotPaused(env e) {`
			`require nonpayable(e);`
Move certora helpers to a dedicated folder (#4211) 2 years ago
Add Pausable FV (#4117) Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com> 2 years ago			`onlyWhenNotPaused@withrevert(e);`
			`assert !lastReverted <=> !paused(), "works if and only if the contract is not paused";`
			`}`

			`/*`
			`┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐`
			`│ Rules: only _pause and _unpause can change paused status │`
			`└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘`
			`*/`
			`rule noPauseChange(env e) {`
			`method f;`
			`calldataarg args;`

			`bool pausedBefore = paused();`
			`f(e, args);`
			`bool pausedAfter = paused();`

			`assert pausedBefore != pausedAfter => (`
			`(!pausedAfter && f.selector == unpause().selector) \|\|`
			`(pausedAfter && f.selector == pause().selector)`
			`), "contract's paused status can only be changed by _pause() or _unpause()";`
			`}`