Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certora's Governance verification rules #2997

Merged
merged 138 commits into from
Dec 27, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
138 commits
Select commit Hold shift + click to select a range
2c08f85
start work on governor
shellygr Sep 25, 2021
f239fa5
Back to expected pattern?
shellygr Sep 25, 2021
fdc4b0c
fixes
shellygr Sep 25, 2021
4c1d5e0
fixes
shellygr Sep 25, 2021
22030f2
rule drafts
shellygr Oct 7, 2021
6776cc6
ignore certora's generated files
RedLikeRosesss Nov 2, 2021
cac49bf
sanity rule preparations
RedLikeRosesss Nov 3, 2021
72d4e9c
multiple inheritance is tricky
shellygr Nov 3, 2021
a710435
multiple inheritance is tricky x2
RedLikeRosesss Nov 3, 2021
69f87ad
slight script changes and ghost fix
MichaelMorami Nov 4, 2021
e888ea4
Hooks fixed
MichaelMorami Nov 4, 2021
6876df0
slight changes change for convenience + disableLocalTypeChecking flag…
MichaelMorami Nov 4, 2021
c00d951
Harness private to public
MichaelMorami Nov 4, 2021
d6e79f4
Harness private to public
MichaelMorami Nov 4, 2021
21b8434
slight changes in scripts + disableLocalTypeChecking
MichaelMorami Nov 4, 2021
a2960e2
hooks fixed
MichaelMorami Nov 4, 2021
f7cc254
scripts settings added
RedLikeRosesss Nov 4, 2021
bfa1dd3
quotes on var in msg
MichaelMorami Nov 4, 2021
f08ee56
checkingInvariantsWithoutGhosts
RedLikeRosesss Nov 4, 2021
b133fee
WorkInProgress
RedLikeRosesss Nov 7, 2021
0ebc0d5
someCleaning
RedLikeRosesss Nov 8, 2021
ac729e0
fix simple vote end before start
shellygr Nov 8, 2021
7a5bd86
added invariants if executed or canceled always revert
MichaelMorami Nov 8, 2021
ad7993d
idea for sum of votes
MichaelMorami Nov 8, 2021
751277a
MoreRulesToTheGodOfRules
RedLikeRosesss Nov 8, 2021
37a4975
fixed function revert if executed
MichaelMorami Nov 8, 2021
c819e0b
added ghost and counter implementation for castWithReason and castBySig
MichaelMorami Nov 8, 2021
34cb4bd
ghosts and invariant unfinished
MichaelMorami Nov 8, 2021
44a8fed
cannot set if executed and canceled as rules (not working)
MichaelMorami Nov 8, 2021
07d6379
FirstWizardHarness
RedLikeRosesss Nov 9, 2021
96df979
specificSpecForSumRule
RedLikeRosesss Nov 9, 2021
6ac85d8
RemovedInsertedBugForSumRule
RedLikeRosesss Nov 9, 2021
85855b8
FixedTypoInEnvfreeWord
RedLikeRosesss Nov 9, 2021
52924aa
Changed deltaWeight type from uint to uin256
MichaelMorami Nov 10, 2021
eb87bb4
aesthetic
MichaelMorami Nov 10, 2021
b52832c
Cleaned harness + callPropose
MichaelMorami Nov 10, 2021
f2c3523
Merge pull request #1 from OpenZeppelin/master
MichaelMorami Nov 11, 2021
2a0532d
CountingSimpleMoreCleanAndAddedMoreRules
RedLikeRosesss Nov 11, 2021
2ecba53
reorganization + violated rules
MichaelMorami Nov 12, 2021
4337957
codeCleaningNumberIDontKnow
RedLikeRosesss Nov 12, 2021
9a194f2
start work on governor
shellygr Sep 25, 2021
4a0077d
Back to expected pattern?
shellygr Sep 25, 2021
8494fe2
fixes
shellygr Sep 25, 2021
a0cb8cd
fixes
shellygr Sep 25, 2021
ea6baf2
rule drafts
shellygr Oct 7, 2021
d6036f9
ignore certora's generated files
RedLikeRosesss Nov 2, 2021
e810379
sanity rule preparations
RedLikeRosesss Nov 3, 2021
2d33674
multiple inheritance is tricky
shellygr Nov 3, 2021
1c35a7d
multiple inheritance is tricky x2
RedLikeRosesss Nov 3, 2021
788d467
slight script changes and ghost fix
MichaelMorami Nov 4, 2021
32ab301
Hooks fixed
MichaelMorami Nov 4, 2021
6307b3b
slight changes change for convenience + disableLocalTypeChecking flag…
MichaelMorami Nov 4, 2021
547e7a8
Harness private to public
MichaelMorami Nov 4, 2021
c08a73a
Harness private to public
MichaelMorami Nov 4, 2021
6323c9a
slight changes in scripts + disableLocalTypeChecking
MichaelMorami Nov 4, 2021
91f8919
hooks fixed
MichaelMorami Nov 4, 2021
9298482
scripts settings added
RedLikeRosesss Nov 4, 2021
364da56
quotes on var in msg
MichaelMorami Nov 4, 2021
77efd53
checkingInvariantsWithoutGhosts
RedLikeRosesss Nov 4, 2021
85b65be
WorkInProgress
RedLikeRosesss Nov 7, 2021
d4b9e9a
someCleaning
RedLikeRosesss Nov 8, 2021
c50cb00
fix simple vote end before start
shellygr Nov 8, 2021
5ea1cc7
added invariants if executed or canceled always revert
MichaelMorami Nov 8, 2021
d5c6520
idea for sum of votes
MichaelMorami Nov 8, 2021
2761ec0
MoreRulesToTheGodOfRules
RedLikeRosesss Nov 8, 2021
53d4006
fixed function revert if executed
MichaelMorami Nov 8, 2021
8ed7f96
added ghost and counter implementation for castWithReason and castBySig
MichaelMorami Nov 8, 2021
861fab8
ghosts and invariant unfinished
MichaelMorami Nov 8, 2021
16e101b
cannot set if executed and canceled as rules (not working)
MichaelMorami Nov 8, 2021
bc9bbc2
FirstWizardHarness
RedLikeRosesss Nov 9, 2021
92744a1
specificSpecForSumRule
RedLikeRosesss Nov 9, 2021
f8a54d2
RemovedInsertedBugForSumRule
RedLikeRosesss Nov 9, 2021
9b4634b
FixedTypoInEnvfreeWord
RedLikeRosesss Nov 9, 2021
5267eaa
Changed deltaWeight type from uint to uin256
MichaelMorami Nov 10, 2021
b948e70
aesthetic
MichaelMorami Nov 10, 2021
0d724ca
Cleaned harness + callPropose
MichaelMorami Nov 10, 2021
0598a3a
CountingSimpleMoreCleanAndAddedMoreRules
RedLikeRosesss Nov 11, 2021
921c668
reorganization + violated rules
MichaelMorami Nov 12, 2021
a858ed7
codeCleaningNumberIDontKnow
RedLikeRosesss Nov 12, 2021
2baa9bd
Merge branch 'certora/governor' of https://github.com/Certora/openzep…
RedLikeRosesss Nov 12, 2021
54fa59f
proposeInitialized done
RedLikeRosesss Nov 14, 2021
c6365ef
creating new ghost for 26 b
RedLikeRosesss Nov 14, 2021
c0a257f
overriding castVoteWithReason
MichaelMorami Nov 15, 2021
eee306a
commenting helper function, executed only after exec, func revert if …
MichaelMorami Nov 15, 2021
d297280
oneUserVoteInCast, noVotesForSomeoneElse
MichaelMorami Nov 15, 2021
a16eaeb
ManyNonWorkingRules
RedLikeRosesss Nov 15, 2021
5833f52
Harness of castVoteWithReason to be able to impose requirement on the…
MichaelMorami Nov 16, 2021
1da0a4a
allFunctionsRevertIfExecuted, allFunctionsRevertIfCanceled, executedO…
MichaelMorami Nov 16, 2021
daad23b
comment noVoteForSomeoneElse
MichaelMorami Nov 16, 2021
eb27bdd
MoreRulesAndFixesOfExistedRules
RedLikeRosesss Nov 16, 2021
44113d5
NewWizardHarness
RedLikeRosesss Nov 17, 2021
a33b9b2
FixedERC20VotesIssue
RedLikeRosesss Nov 17, 2021
61b0118
AddedLinkAndFixingGhost
RedLikeRosesss Nov 17, 2021
f7049de
envfreeViolationFix
RedLikeRosesss Nov 18, 2021
65af47d
added filters to revert if exec and revert if canceled
MichaelMorami Nov 18, 2021
0ecb5fc
fix for oneUserVotesInCast
MichaelMorami Nov 18, 2021
9f2a672
moving updateQuorumNumerator to GovernorBase
MichaelMorami Nov 18, 2021
0cbb98b
uncommenting hook for oneUserVotesInCast
MichaelMorami Nov 18, 2021
92f5f0d
TryingToFixRules
RedLikeRosesss Nov 19, 2021
0fbf745
noVoteForSomeoneElse fix
MichaelMorami Nov 19, 2021
a14abd0
hashProposal summarization removed
MichaelMorami Nov 20, 2021
167f175
harness _execute()
MichaelMorami Nov 21, 2021
cd703a5
cleaned up to doubleVoting (not included)
MichaelMorami Nov 21, 2021
37fe8c2
FixinigTimeoutsAndTotalVotes
RedLikeRosesss Nov 22, 2021
ff8e17e
removedHarnessesAnsSummariesAddedComments
RedLikeRosesss Nov 22, 2021
95321a3
done up to noStartBeforeCreation including
MichaelMorami Nov 22, 2021
1b4fb6c
callPropose and castVoteWithReason removed
MichaelMorami Nov 23, 2021
e01b285
helper function fix plus reviewing up to noExecuteOrCancelBeforeDeadl…
MichaelMorami Nov 23, 2021
c38babe
helper function name change
MichaelMorami Nov 23, 2021
38e42f9
helperFunctionArgumentEnv
RedLikeRosesss Nov 23, 2021
4c3ad9c
GovernorCountingSimple cleaning
RedLikeRosesss Nov 23, 2021
9344f69
removed oneUserVotesInCast
RedLikeRosesss Nov 23, 2021
0894724
all rules checked no structure organization
MichaelMorami Nov 23, 2021
108be78
RemovedUnnecessaryHarnesses
RedLikeRosesss Nov 24, 2021
b3dd1e0
RulesCleaning
RedLikeRosesss Nov 24, 2021
37725a0
CleaningAndScriptForAllAndReadme
RedLikeRosesss Nov 24, 2021
73080c7
cleaning in process
RedLikeRosesss Nov 25, 2021
1d25a22
runAllwithoutTypeCheckAndPolishingIt
RedLikeRosesss Nov 25, 2021
43e37f0
executedImplyStartAndEndDateNonZero inv fix
RedLikeRosesss Nov 25, 2021
f40c48a
madeVeryfyAllMoreFlexible
RedLikeRosesss Nov 27, 2021
de59492
fix script
MichaelMorami Nov 30, 2021
96c6120
NewFileForRulesInProgress
RedLikeRosesss Dec 1, 2021
dae72a7
FixingScriptsToWorkWithNewChanges
RedLikeRosesss Dec 1, 2021
7d0eeab
HarnessCleaning
RedLikeRosesss Dec 1, 2021
749738f
moved contract modifications into munged directory
mdgeorge4153 Dec 1, 2021
f308740
created applyHarness
mdgeorge4153 Dec 1, 2021
380b87d
switched harnesses to use munged contracts
mdgeorge4153 Dec 1, 2021
760edf9
tweaked script to run quickly
mdgeorge4153 Dec 2, 2021
ec5d501
filtered out timeouts
mdgeorge4153 Dec 2, 2021
5888bee
fixed executeOnly rule
mdgeorge4153 Dec 2, 2021
d648695
did some harnessing
mdgeorge4153 Dec 2, 2021
3c15095
harnessing fix
mdgeorge4153 Dec 3, 2021
8c0684a
Merge branch 'OpenZeppelin:master' into master
mdgeorge4153 Dec 3, 2021
6bd525f
Merge branch 'master' into certora/governor
mdgeorge4153 Dec 3, 2021
22de642
simplified README somewhat, included additional information about mun…
mdgeorge4153 Dec 9, 2021
d95c3ee
removed some spurious comments
mdgeorge4153 Dec 9, 2021
2a75aa1
added munging to scripts
mdgeorge4153 Dec 9, 2021
7912b1a
filtered out relay, since it is havocing
mdgeorge4153 Dec 16, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
CountingSimpleMoreCleanAndAddedMoreRules
  • Loading branch information
RedLikeRosesss committed Nov 11, 2021
commit 2a0532daccc5e48172d63aa8ce733620d0dae219
273 changes: 159 additions & 114 deletions certora/specs/GovernorBase.spec
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
//////////////////////////////////////////////////////////////////////////////
///////////////////// Governor.sol base definitions //////////////////////////
//////////////////////////////////////////////////////////////////////////////

methods {
proposalSnapshot(uint256) returns uint256 envfree // matches proposalVoteStart
proposalDeadline(uint256) returns uint256 envfree
Expand All @@ -17,131 +18,175 @@ methods {
// internal functions made public in harness:
_quorumReached(uint256) returns bool envfree
_voteSucceeded(uint256) returns bool envfree

}

//////////////////////////////////////////////////////////////////////////////
////////////////////////////// INVARIANTS ////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////


/*
* A proposal cannot end unless it started.
*/
invariant voteStartBeforeVoteEnd(uint256 pId)
(proposalSnapshot(pId) > 0 => proposalSnapshot(pId) < proposalDeadline(pId))
&& (proposalSnapshot(pId) == 0 => proposalDeadline(pId) == 0)
/*
* A proposal cannot end unless it started.
*/
invariant voteStartBeforeVoteEnd(uint256 pId)
(proposalSnapshot(pId) > 0 => proposalSnapshot(pId) < proposalDeadline(pId))
&& (proposalSnapshot(pId) == 0 => proposalDeadline(pId) == 0)


/*
* A proposal cannot be both executed and canceled.
*/
invariant noBothExecutedAndCanceled(uint256 pId)
!isExecuted(pId) || !isCanceled(pId)
/**
* A proposal cannot be both executed and canceled.
*/
invariant noBothExecutedAndCanceled(uint256 pId)
!isExecuted(pId) || !isCanceled(pId)


/*
* A proposal cannot be neither executed nor canceled before it starts
*/
invariant noExecuteOrCancelBeforeStarting(env e, uint256 pId)
e.block.number < proposalSnapshot(pId)
=> !isExecuted(pId) && !isCanceled(pId)
/**
* A proposal could be executed only if quorum was reached and vote succeeded
*/
invariant executionOnlyIfQuoromReachedAndVoteSucceeded(uint256 pId)
isExecuted(pId) => _quorumReached(pId) && _voteSucceeded(pId)


/*
* A proposal could be executed only if quorum was reached and vote succeeded
*/
invariant executionOnlyIfQuoromReachedAndVoteSucceeded(uint256 pId)
isExecuted(pId) => _quorumReached(pId) && _voteSucceeded(pId)
//////////////////////////////////////////////////////////////////////////////
/////////////////////////////////// RULES ////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////


/*
* No functions should be allowed to run after a job is deemed as canceled
*/
rule cannotSetIfCanceled(uint256 pId, method f) filtered { f-> !f.isView }{
require(isCanceled(pId));
env e; calldataarg args;
f(e, args);
assert(isCanceled(pId) => lastReverted == true, "Function did not revert when canceled");
}

//////////////////////////////////////////////////////////////////////////////
/////////////////////////////////// RULES ////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////

/*
* The voting must start not before the proposal’s creation time
*/
rule noStartBeforeCreation(uint256 pId) {
uint previousStart = proposalSnapshot(pId);
require previousStart == 0;
env e;
calldataarg arg;
propose(e, arg);

uint newStart = proposalSnapshot(pId);
// if created, start is after creation
assert(newStart != 0 => newStart >= e.block.number);
}


/*
* Once a proposal is created, voteStart and voteEnd are immutable
*/
rule immutableFieldsAfterProposalCreation(uint256 pId, method f) {
uint _voteStart = proposalSnapshot(pId);
uint _voteEnd = proposalDeadline(pId);
require _voteStart > 0; // proposal was created

env e;
calldataarg arg;
f(e, arg);

uint voteStart_ = proposalSnapshot(pId);
uint voteEnd_ = proposalDeadline(pId);
assert _voteStart == voteStart_;
assert _voteEnd == voteEnd_;
}


/*
* A user cannot vote twice
*/
rule doubleVoting(uint256 pId, uint8 sup) {
env e;
address user = e.msg.sender;

bool votedCheck = hasVoted(e, pId, user);
require votedCheck == true;

castVote@withrevert(e, pId, sup);
bool reverted = lastReverted;

assert votedCheck => reverted, "double voting accured";
}


/*
* When a proposal is created the start and end date are created in the future.
*/
rule proposalCreatedStartAndEndDateInFuture(address[] targets, uint256[] values, bytes[] calldatas){
env e;
uint256 pId = callPropose(e, targets, values, calldatas);
uint256 startDate = proposalSnapshot(pId);
uint256 endDate = proposalDeadline(pId);
assert(startDate >= e.block.number && endDate >= e.block.number, "Start or end date were set in the past");
}


/**
* Check hashProposal hashing is reliable (different inputs lead to different buffers hashed)
*/
/*
rule checkHashProposal {
address[] t1;
address[] t2;
uint256[] v1;
uint256[] v2;
bytes[] c1;
bytes[] c2;
bytes32 d1;
bytes32 d2;

uint256 h1 = hashProposal(t1,v1,c1,d1);
uint256 h2 = hashProposal(t2,v2,c2,d2);
bool equalHashes = h1 == h2;
assert equalHashes => t1.length == t2.length;
assert equalHashes => v1.length == v2.length;
assert equalHashes => c1.length == c2.length;
assert equalHashes => d1 == d2;
}
*/

/*
* No functions should be allowed to run after a job is deemed as executed
*/
rule cannotSetIfExecuted(uint256 pId, method f) filtered { f-> !f.isView }{
require(isExecuted(pId));
env e; calldataarg args;
f(e, args);
assert(isExecuted(pId) => lastReverted == true, "Function did not revert after executed");
}


/*
* The voting must start not before the proposal’s creation time
*/
rule noStartBeforeCreation(uint256 pId) {
uint previousStart = proposalSnapshot(pId);
require previousStart == 0;
env e;
calldataarg arg;
propose(e, arg);

uint newStart = proposalSnapshot(pId);
// if created, start is after creation
assert(newStart != 0 => newStart >= e.block.number);
}


/*
* Once a proposal is created, voteStart and voteEnd are immutable
*/
rule immutableFieldsAfterProposalCreation(uint256 pId, method f) {
uint _voteStart = proposalSnapshot(pId);
uint _voteEnd = proposalDeadline(pId);
require _voteStart > 0; // proposal was created

env e;
calldataarg arg;
f(e, arg);

uint voteStart_ = proposalSnapshot(pId);
uint voteEnd_ = proposalDeadline(pId);
assert _voteStart == voteStart_;
assert _voteEnd == voteEnd_;
}


/*
* A user cannot vote twice
*/
rule doubleVoting(uint256 pId, uint8 sup) {
env e;
address user = e.msg.sender;

bool votedCheck = hasVoted(e, pId, user);

castVote@withrevert(e, pId, sup);
bool reverted = lastReverted;

assert votedCheck => reverted, "double voting accured";
}


/*
* When a proposal is created the start and end date are created in the future.
*/
rule proposalCreatedStartAndEndDateInFuture(address[] targets, uint256[] values, bytes[] calldatas){
env e;
uint256 pId = callPropose(e, targets, values, calldatas);
uint256 startDate = proposalSnapshot(pId);
uint256 endDate = proposalDeadline(pId);
assert(startDate >= e.block.number && endDate >= e.block.number, "Start or end date were set in the past");
}


/**
* Check hashProposal hashing is reliable (different inputs lead to different buffers hashed)
*/
/*
rule checkHashProposal {
address[] t1;
address[] t2;
uint256[] v1;
uint256[] v2;
bytes[] c1;
bytes[] c2;
bytes32 d1;
bytes32 d2;

uint256 h1 = hashProposal(t1,v1,c1,d1);
uint256 h2 = hashProposal(t2,v2,c2,d2);
bool equalHashes = h1 == h2;
assert equalHashes => t1.length == t2.length;
assert equalHashes => v1.length == v2.length;
assert equalHashes => c1.length == c2.length;
assert equalHashes => d1 == d2;
}
*/


/**
* A proposal cannot be neither executed nor canceled before it starts
*/
rule noExecuteOrCancelBeforeStarting(uint256 pId, method f){
env e;

require !isExecuted(pId) && !isCanceled(pId);

calldataarg arg;
f(e, arg);

assert e.block.number < proposalSnapshot(pId) => (!isExecuted(pId) && !isCanceled(pId)), "executed/cancelled before start";
}

/**
* A proposal cannot be neither executed nor canceled before proposal's deadline
*/
rule noExecuteOrCancelBeforeDeadline(uint256 pId, method f){
env e;

requireInvariant voteStartBeforeVoteEnd(pId);
require !isExecuted(pId) && !isCanceled(pId);

calldataarg arg;
f(e, arg);

assert e.block.number < proposalDeadline(pId) => (!isExecuted(pId) && !isCanceled(pId)), "executed/cancelled before start";
}
31 changes: 2 additions & 29 deletions certora/specs/GovernorCountingSimple.spec
Original file line number Diff line number Diff line change
@@ -1,23 +1,6 @@
//////////////////////////////////////////////////////////////////////////////
///////////////////// Governor.sol base definitions //////////////////////////
//////////////////////////////////////////////////////////////////////////////
methods {
proposalSnapshot(uint256) returns uint256 envfree // matches proposalVoteStart
proposalDeadline(uint256) returns uint256 envfree
hashProposal(address[],uint256[],bytes[],bytes32) returns uint256 envfree
isExecuted(uint256) returns bool envfree
isCanceled(uint256) returns bool envfree
// initialized(uint256) returns bool envfree

hasVoted(uint256, address) returns bool

castVote(uint256, uint8) returns uint256

// internal functions made public in harness:
_quorumReached(uint256) returns bool envfree
_voteSucceeded(uint256) returns bool envfree
import "GovernorBase.spec"

// getter for checking the sums
methods {
ghost_sum_vote_power_by_id(uint256) returns uint256 envfree
}

Expand All @@ -40,29 +23,19 @@ ghost sum_tracked_weight() returns uint256 {
init_state axiom sum_tracked_weight() == 0;
}

/*
function update_tracked_weights(uint256 pId, uint256 votes, uint256 old_votes) {
havoc tracked_weight assuming forall uint256 p. (p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
(p != pId => tracked_weight@new(p) == tracked_weight@old(p));
havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
}*/

hook Sstore _proposalVotes[KEY uint256 pId].againstVotes uint256 votes (uint256 old_votes) STORAGE {
//update_tracked_weights(pId, votes, old_votes);
havoc tracked_weight assuming forall uint256 p. (p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
(p != pId => tracked_weight@new(p) == tracked_weight@old(p));
havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
}

hook Sstore _proposalVotes[KEY uint256 pId].forVotes uint256 votes (uint256 old_votes) STORAGE {
//update_tracked_weights(pId, votes, old_votes);
havoc tracked_weight assuming forall uint256 p. (p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
(p != pId => tracked_weight@new(p) == tracked_weight@old(p));
havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
}

hook Sstore _proposalVotes[KEY uint256 pId].abstainVotes uint256 votes (uint256 old_votes) STORAGE {
//update_tracked_weights(pId, votes, old_votes);
havoc tracked_weight assuming forall uint256 p. (p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
(p != pId => tracked_weight@new(p) == tracked_weight@old(p));
havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
Expand Down