Formal Verification and Path Coverage Tools for Continuous Security of the Compound Protocol and its dApps
Summary
A proposal for significantly and continuously improving the security of the Compound platform and the dApps built on top of it, by offering our formal verification and path coverage tooling service to the Compound Platform contributors and the Compound Protocol dApp developers. This is a follow-up to our recent work on the Comet protocol with the Compound labs team. The idea is to provide access to the community and educate the community, write formal specifications, and review code changes. This proposal is orthogonal to the Open Zeppelin proposal, which has already been suggested using the Certora prover. This proposal also suggests writing formal correctness rules for the Compound Protocol which will be reviewed by the community and OpenZeppelin. We have already written some formal requirements for Comet and prevented huge security breaches.
This is an update of an earlier unsubmitted proposal discussed in November 2021.
Background
Compound Protocol Security
The Compound Protocol is a fully decentralized system that provides sophisticated tools for accessing liquidity. The protocol’s ongoing management is controlled by a governance protocol that allows external contributions and voting by stakeholders. Such a system opens up the possibility of creating powerful new DeFi protocols built on top of it, without giving up on decentralization.
One of the major risks in managing a complex system of smart contracts is that it is harder to ensure that changes introduced via governance are safe and that they do not break the behavior of the protocol. While those problems are common to every piece of evolving software, decentralization introduces additional risks.
These risks were highlighted by a recent incident in which a bug was introduced in a Compound governance proposal, leading to huge nonrecoverable financial losses. Of course, such bugs are not exclusive to Compound — they have been affecting many DeFi protocols.
Detecting vulnerabilities before they are deployed is difficult because of the lack of good security tools for smart contract development. Smart contract developers often rely on manual auditing to prevent bugs, but audits are not well suited for the setting of ongoing, time-controlled governance proposals. Moreover, even the best auditor can miss critical bugs due to the complexity of the code.
About Certora
Our team consists of 60 experts in smart contract security, formal verification methods, and compilation techniques. 12 of our team members have PhDs in formal verification from top schools in US, Europe, and Israel. We have built a world-class and unique developer tool that seamlessly integrates into CI/CD, allowing continuous verification of contract correctness.
We enable companies to “move fast and break nothing”, taking months off of the time to market, by decreasing code audit time. Our product, the Certora Prover, allows both pre- and post-deployment code verification: it statically analyzes the code before it is deployed but also runs on the EVM bytecode of the deployed contracts. The product verifies code by checking that it obeys high-level semantic rules. For example, a rule could assert that the sum of token balances remains unchanged by all operations that do not mint new tokens. A free demo of the Certora Prover can be found here. The real tool is quite advanced and handles multiple contracts.
Our product is used by the industry’s leading companies (Aave, Balancer, Benqi, Compound Finance, MakerDAO, OpenZeppelin, Sushi, TradeJoe, Bancor, and more) and has prevented more than 100 safety-critical bugs, including 20 “solvency” bugs (a bug in which a user can steal money from the contract). Each bug can lead to tens or even hundreds of millions of dollars in losses. The Certora technology has also uncovered critical security bugs in the Solidity compiler itself and in deployed contracts of major DeFi organizations. We are also the only team that was able to formally verify interesting security properties including preservation of funds.
Certora developed a new language CVL https://docs.certora.com/ for writing code specifications. As part of this project, the Compound Community will get access to the language and the technology (see Offering Section below).
Certora and Compound Relationship
We have been working with the Compound team almost since its inception. Originally, we formally verified the first Price Oracle implementation. Using the Certora Prover tool, we were able to find a subtle bug after the contract completed auditing by Trail of Bits. The part that we did not verify, the MoneyMarket contract, was later found to contain a serious vulnerability in the liquidation function, potentially breaking the protocol’s solvency, allowing an attacker to steal money from the contract. Compound Labs then asked us to help in formally verifying a sophisticated bugfix, whose goal was to block potential exploits. We have written rules for that purpose, successfully showing that no code paths can trigger the exploit.
In addition, we formally verified the V2 version of the protocol, including the MoneyMarket contract. There, we were able to find more bugs in pre-deployment and post-audit. For example, a rule for ETH borrows written by Jared Flatow (VP Engineering) from the Compound team found a mismatch in the computation of accrued interest, that prevented users from fully repaying loans. We have found many more costly bugs in the platform, preventing immense losses and protecting its users, including in the OpenOracle protocol.
In the verification of the Open Oracle framework with the Uniswap based anchor, we have identified a high-risk miscalculation of the prices of cTokens. In addition, we have verified a set of properties for this contract. The full report is available here https://www.certora.com/wp-content/uploads/2022/02/CompoundUniswapAnchoredOpenOracleAug2020.pdf
Certora is currently verifying Comet and already found 10 critical and high severity issues, including increasing assets by self transferring, missing updates of collateral used, missing updates to the supply and borrow rates and more. We have verified approximately 50 rules. The rules show that the system obeys important security properties of the protocol spanning the core logic of the protocol, high-level mathematical properties of operations such as accrue and, important properties of all the public methods including absorbing and buying collateral. This project will be concluded by the end of March, after which a full verification report will be published.
Specific Rules
As described previously, we have been working closely with the Compound core team. However, we are not working with the Compound Platform contributors (those not directly employed by Compound) nor the Compound dApps developers (those developing dApps on top of the Compound Protocol). Recent exploits (such as the claimComp bug discovered in Proposal 62) show that this approach is insufficient; these exploits have caused hundreds of millions of dollars of losses.
Case Study 1: Applying Certora Prover to check Proposal 62
Proposal 62 pertains to parts of the code that were not verified by Certora, but applying simple rules could have identified the bug. For example, the bug would be detected by the following rule:
Rule: maxCompReward
Description: The max COMP reward of a user has an upper limit, based on the current supplyState, borrowState and compAccured.
Claimed COMP should also satisfy other simple properties, and checking these properties could detect and prevent additional bugs. For example:
Rule: noFrontRunningGainOrLoss
Description: The amount of COMP received at a specific state is the same whether or not another user (possible the admin) has performed an operation just before.
Rule: zeroGainOnZeroBlocks
Description: A user with zero borrows can not gain COMP in a single block (for example by using a flash loan).
An executable formalization of the rules detects the bug introduced in Proposal 62, in particular, the rule called maxCompReward
triggers a violation.
Case Study 2: A formal rule for Comet integrity of token balance change
Rule: totalCollateralPerAsset
Description: The sum of collateral per asset over all users is equal to total collateral of asset. This rule is also applied to check all public and external methods of the Comet contract.
This important solvency property which can be easily formulated in Certora’s specification language was violated in a version before deployment and shows a critical vulnerability of self transferring.
Rule: balance_change_vs_accrue
Description: Whenever the system’s borrow token balance changes, it changed after accrue was called and the borrow and supply rates are up to date. This rule is also applied to check all public and external methods of the Comet contract.
After 4 minutes of running time, the Certora Prover located inputs violating the rule in two methods in the methods before deployment:
-
BuyCollateral - thus enabling to buy collateral (at a discount) when there might be enough reserves and therefore should not be allowed
-
withdrawReseves - thus enabling the governance to withdraw possible more reserves than there should be able to
Proposal: Dev Tools for Smart Contract Correctness
We propose two approaches to significantly increase the confidence in the platform itself and in the smart contracts built on top of it. The first is the Certora Prover, and the second is a new symbolic execution tool (path coverage). Both of these methods leverage the high-level rules to guarantee that all paths of the code satisfy the rule.
The two approaches are complementary: The Certora Prover will prove that specific critical parts of the code are sound and will find hard to detect bugs, while the symbolic execution tool will be running 24/7 to continuously increase the coverage for specifications that are too complex to prove using the Certora Prover.
In the following sections, we will specify the deliverables of our proposal.
Formally Specifying High-Level Rules of dApps in Open-Source CVL
We will carefully review every proposal of a code change by the community and write high-level correctness rules in English and in CVL, Certora’s domain-specific specification language. This includes development for DeFi smart contracts built on top of Compound, as well as for the Compound platform itself via its contributors. These rules will be used later for the Certora Prover and the new path coverage tool. In the unlikely event that a bug is reported, we will generalize the bug and write high-level rules preventing similar bugs to occur in the future.
These engineers are readily available and familiar with the logic of the Compound Protocol. Our current backlog for customers is several months.
Fitting the DeFi community spirit, we will make the CVL rules open-source, allowing decentralized rule writing and rule auditing. This will allow knowledge-sharing in rule writing between contributors and dApp developers, allowing developers to reuse application rules.
We will compensate non-Certora rule writers with COMP tokens according to their contributions.
We will create a forum for community rule writing. Contributors will have access to the Certora platform (including education material and rules from other projects) and the current set of rules.
Every rule suggestion will be reviewed jointly by the Compound labs and the Certora team. The reward will be decided jointly based on the significant contribution.
Formal Verification of Smart Contracts during CI/CD
The above rules will be used by the Certora Prover, which will be available to all Compound platform developers. The CVL will be integrated as part of a VSCode extension, with tooling to integrate CVL specs to the Solidity code project. The extension will also be able to invoke the Certora Prover, and present an ongoing status of the rules: whether they are proven or violated. When a rule is violated, the extension will return a concrete call trace showing the input for which the rule is violated, in a view similar to a debugger.
Code Coverage for Smart Contracts
This project is inspired by the Sage Direct Fuzzing Project which prevented million-dollar bugs for Microsoft.
We will develop a new symbolic execution product for increasing code coverage of the Compound smart contracts. For each smart contract, the product will automatically generate inputs and check that the contract obeys the rule for those inputs. The product will harness SMT solvers to continuously enumerate additional control flow execution paths. The tool can continue to run post deployments and results will be available on a dashboard. This approach complements formal verification when the code is too complex for it or when using it is too computationally intensive. The Kotlin source code developed in this project will be publicly available from June 1st to allow contributions from the community. This includes CVL and its interpreter. The proposed license is https://polyformproject.org/licenses/noncommercial/1.0.0/
This Code Coverage Tool is similar to Dynamic Monitoring provided by Forta, however, our tool is different in two aspects: it uses high-level security rules and leverages SMT solvers for triggering rarely executed scenarios.
In addition to creating the product, we will create a dashboard that will report the inputs and the paths covered by the different inputs, as well as rule violations that may occur. Also, for each input, we check and report that every CVL rule holds.
Measures of Success
In general, we note that there is no silver bullet in smart contract security and in formal verification specifically. Still, we plan to measure success according to the following measures: (1) the number of paths covered by the path coverage tool, (2) the number of rules formally proved, (3) the number of bugs identified by the Certora Prover before deployment, (4) the number of bugs identified by the path coverage tool, and (5) the number of missed bugs in code analyzed by Certora found by auditors and other means. The numbers will be available on a daily basis.
The Certora Prover takes a Solidity contract and a CVL specification as input and formally proves that the contract satisfies the specification in all scenarios. Importantly, the guarantees of Certora Prover are scoped to the provided specification, and cases that are not covered by the specification are currently not checked by Certora Prover.
Certora Services Summary
We offer the following services by the company:
- We will create a two-week online course on writing rules designated to the Compound Protocol. The course will be recorded for availability for all developers.
- We will hold as many as needed Zoom calls for users of the Certora Prover and the new path coverage tool whose source is available using the Polyform License.
- The Certora team will create a shadow git repository for the Kotlin code. Anybody in the Compound Community can get limited and revocable access to the repository against a signed NDA. We will allocate up to 20 keys to DApp developers accessing our SaaS platform with unlimited compute usage. Computation time will be billed to Certora. Additional keys are available for $4000/month as approved by the Compound ecosystem.
- We will allocate a team of two R&D personnel to write rules for up to 8 weeks per year. Additional weeks will be available subject to charge and availability. We will offer a 30% reduction on the normal professional service prices.
- We will create a dashboard displaying the results of the path coverage product, including rule verified and covered paths, visible to all Compound users. Rule violations will be reported automatically to the Compound security team, but not visible to all users to avoid revealing potential exploits.
- We will create an open-source database of CVL rules and the code they refer to, to decentralize rule writing and promote decentralized contributions to rules.
Price
- The annual price is $2,000,000. $1,000,000 is paid in USDC. $1,000,000 is paid in COMP tokens.
- An additional sum of $400,000 in COMP paying decentralized community rule writers. This sum will not be used for any other purpose and returned if not used or moved to the following year if the contract is renewed. These tokens will be transferred to a special-purpose multisig wallet controlled by Certora and elected members of the Compound ecosystem