Share this page!

obront.eth Profile picture
Twitter logo
Mar 9 15 tweets 5 min read
I was recently working on an audit that used Solady FixedPointMathLib by @optimizoor.

@daejunpark had some concerns with the square root function. What if there were edge cases where the Yul didn’t behave?

Fuzzing didn’t find any, but we couldn’t know for sure.

…or could we?
Enter HALMOS.

It's a symbolic bounded model checker.

What this means is that it takes in EVM bytecode, converts it to a series of equations, and uses the Z3 Theorem Prover to verify the assertion (or find counterexamples).

github.com/a16z/halmos
It runs directly from existing Foundry fuzz tests, so it's shockingly easy to set up relative to more "formal" formal verification.

Let's take it for a spin and see if we can prove the sqrt() function.
First, we'll copy the function out of the library and dump it into our test file (Halmos doesn't support libraries yet). Image
Now we need a way to compare it's results to the "ground truth".

The easiest way to do this is to work backwards:
- pick a random number i
- square it
- add any number n where n < i

Now we know sqrt(i ** 2 + n) == i. Image
That was easy, let's run out test, formally prove the function, and move on with our day... Image
Uh oh. When a symbolic model checker says "unknown" that means Z3 wasn't able to definitively solve the system of equations.

This is often because we're doing too much, but can also be from using large numbers or division.
Some things we can do to help with this:
- use vm.assume() instead of bound()
- use vm.assume(n < i) instead of i = i % n

But we've already done those things, and it's still not provable.
We can run a Foundry fuzz test to ensure that our setup was correct. The test passes fine.

The problem is just that the function is too complex. Image
So what can we do? Well, this function is an optimized version of Solmate's sqrt() function.

If we can't prove it's correct, at least we might be able to prove that they're equivalent?
If we look at the two functions, we notice something promising:

All the division happens in the "Babylonian method cycles" at the end, and that part of the function is identical between the two implementations.

That means we can remove it to test equivalence.
Let's try that. First, we'll abstract the identical Babylonian cycles out from the functions.

We run a fuzz test to make sure that both still work correctly, and the removed portions are, in fact, identical. ImageImage
Now we can finally recreate our Halmos test, but focus it only on proving equivalence between the two functions up until the the point where the Babylonian cycles begin. Image
After a moment of waiting...

Bingo.

We can now say with 100% confidence that the Solady and Solmate implementations of sqrt() produce the same result.

@daejunpark can sleep easy. Image
I've started a repo to formally verify some of the other Solady math functions.

Besides @transmissions11 needing to save me from an idiotic false alarm, it's been going well.

If you're interested in Halmos, check it out for some fun & simple examples: github.com/zobront/halmos…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with obront.eth

obront.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachobront

obront.eth Profile picture
Mar 7
Since the @optimismFND contest rewards were announced, a bunch of people have asked me about the logistics of working with @trust__90.

How did we share information? How did we support each other?

I've experimented with this a lot so figured it might be useful to share publicly.
The first thing to note is that contests / bug hunting requires different communication than traditional audits.

For collaboration on traditional audits, I really like the way @SpearbitDAO sets things up:
- shared repo
- comments of findings on PRs
- communication channel for Qs
But that optimizes for everyone finding their own issues and asking for support from each other when it's needed.

For bug hunting / contests — especially with small teams of 2-3 — I'd rather we be "up in each other's business" a bit more.
Read 14 tweets
obront.eth Profile picture
Dec 23, 2022
One of the hardest things for new auditors is getting your head around a code base.

I remember feeling like I was aimlessly jumping in circles. Based on the DMs I've been getting, seems like this is a common experience.

Here's the process I now use for every audit...
1) QUICK SKIM OF DOCUMENTATION

- What is this supposed to do?
- Who are the main actors?
- Is there anything it's explicitly not supposed to do?

You'll be surprised how often exploit ideas start forming just based on the high level explanation.
2) FULL (FAST) PASS OF THE CODE

I'll then go through the code from top to bottom with two goals: understanding and tagging.

To understand: I'll often draw diagrams, map out user flows, etc. The goal is to get the system into my head.
Read 14 tweets
obront.eth Profile picture
Dec 6, 2022
Inspired by @pashov and @sjkelleyjr to share more behind the scenes of getting into smart contract auditing.

In March, I tried my first C4 contest. I sucked :)

As of last week, I've placed Top 3 in 7 audit contests and earned $100k+ from auditing.

Here’s the journey so far… Image
First, a quick disclaimer:

I had a lot of experience as a Solidity dev before getting into security, so this stuff clicked pretty quickly.

If you're learning all this from scratch, it will probably take longer. But you can get there.
MARCH: I tried two C4 contests: LiFi and Backed.

Found a Medium severity in LiFi, but struggled a lot.

Tons of fun but I was in the middle of a lot of dev work and didn’t have time to really dive in to getting better, so decided to put it on pause.

Hrs: 10.5 // Payouts: $286
Read 9 tweets
obront.eth Profile picture
Mar 10, 2022
SNARKS FOR NON-CRYPTOGRAPHERS

ZK tech is looking like the holy grail for Ethereum scalability and privacy.

But how does it actually work? What kinds of things are provable?

And if it’s working, what’s the barrier to full zkEVMs?

I spent the past few weeks diving in… (1/n)
At this point, it’s clear that Ethereum can’t scale without L2s.

While optimistic rollups (like @arbitrum) and side chains (like @0xPolygon PoS chain) are incredible advances, it seems clear that the optimal mix of security and scalability will come from ZK rollups.
“In the medium to long term ZK rollups will win out in all use cases as ZK-SNARK technology improves.” — @vitalik

I’m not going to rehash this here. If you want to learn more, read this post from Vitalik (vitalik.ca/general/2021/0…) and follow @epolynya.
Read 26 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(