Enrich CVL guidance with Codex experimnet: ERC‑4626 and rewards patterns (from Aave Stata specs)

[omerlerinman]

Summary

This PR updates Certora’s CVL documentation with practical, field-tested examples and tips derived from a recent formal verification effort. The additions sharpen guidance around methods, hooks, functions, ghosts, rules, and invariants, with solver-friendly rounding envelopes and storage patterns aligned to modern ERC‑4626 and rewards-controller designs.

Origin

• Source materials: aave-v3-horizon/tree/main/certora/stata/specs
• This PR is part of an experiment to assess whether Codex (AI) is suitable for augmenting Certora’s documentation using concrete CVL patterns extracted from customer formal verification projects.

Motivation

• Bridge the gap between reference docs and real-world CVL practice.
• Codify precision patterns for rounding envelopes, storage hooks, and ghost aggregates that reduce timeouts and avoid common vacuity/unsoundness traps.
• Share safe, reusable patterns for ERC‑4626-like wrappers and rewards logic.

Key Updates

• Methods
• Added practical patterns for:
  • Contract aliases via using to target receivers in multi-contract scenes.
  • Using envfree for pure/view-like calls.
  • Summarization to speed up verification (NONDET, DISPATCHER(true)).
  • When to prefer with (env e) vs. envfree to keep models small.
• Hooks
  • Added real-world storage hooks:
    • Slot/offset Sload gating to reduce spurious models for aToken/underlying/reward token instances.
    • Sstore hook mirroring balance deltas into a ghost sum for scalable invariants.
    • Notes on when slot-level addressing is safe vs. named paths.
• Functions
  • Added math and rounding summaries:
    • mulDivCVL with explicit rounding direction.
    • Tight mulDiv up/down abstractions that are solver-friendly.
    • WAD helpers and discrete ratio/quotient models to constrain typical cases (2x/5x/100x).
    • Caution on ghost-based math axioms under fixed-point rounding.
• Ghosts
  • Added patterns from practice:
    • Single-ghost aggregations (sum of scaled balances) via Sstore updates.
    • Guidance on conservative axioms for ghost math to avoid over-constraining the model.
• Rules
  • Added examples and edge cases drawn from ERC‑4626 + rewards:
    • Preview equals actual (stronger than EIP requirement) and preview independence from allowance.
    • Joining/splitting additivity bounds within ±1 envelope.
    • Deposit upper bounds by index (index > RAY: +1 aToken; index == RAY: +0.5 aToken).
    • Non-zero mint condition when assets*RAY >= index.
    • Mint envelopes: receiver gets in [shares, shares+1].
    • Duplicate reward claim prevention (both sufficient and insufficient pool balances).
• Invariants
  • Added a practical solvency envelope invariant for ERC‑4626-style wrappers, with filtered/preserved blocks to avoid vacuity and control environment assumptions.
• Patterns
  • New page: docs/user-guide/patterns/rounding-envelopes.md centralizes ERC‑4626 rounding bounds and examples.

Files Touched

• docs/cvl/methods.md — Practical patterns and tips for using, envfree, summaries.
• docs/cvl/hooks.md — Slot-gated Sload hooks; Sstore + ghost aggregate pattern.
• docs/cvl/functions.md — mulDiv rounding abstractions and WAD helpers.
• docs/cvl/ghosts.md — Aggregate ghosts and guidance on math axioms.
• docs/cvl/rules.md — ERC‑4626 and rewards examples; rounding envelopes.
• docs/cvl/invariants.md — Solvency envelope invariant with filters/preserved blocks.
• docs/user-guide/patterns/rounding-envelopes.md — New consolidated page.

Implementation Notes

• Examples were integrated where they best contextualize the concepts (methods/hooks/functions/rules/invariants) and also centralized under a dedicated “rounding envelopes” pattern page.
• Slot/offset hooks use stable storage layouts from the harness; included with cautions to prefer named access paths when available.

Build & QA

• Local build: run in a venv
  • python -m venv .venv && source .venv/bin/activate
  • pip install -r requirements.txt
  • make html
• Spelling: make spelling; add domain terms to spelling_wordlist.txt as needed.
• Links: make linkcheck; we fixed broken links found in link_output.txt; remaining warnings are about missing local example files not present in this repo (non-blocking).
• Open local site: open build/html/index.html

Risks

• Slot/offset hooks must match exact storage layouts; usage is documented with cautions.
• Aggressive math axioms can introduce unsoundness; guidance favors inequalities and conservative bounds.

Follow-ups

• Extend “Rounding Envelopes” with withdraw/redeem envelopes if desired.
• Add call-trace snippets to reinforce counterexample intuition.

Acknowledgements

• Patterns adapted from Aave Stata Token specs: aave-v3-horizon/tree/main/certora/stata/specs
• This PR assesses Codex’s suitability for AI-assisted doc updates by harvesting CVL best practices from customer FV projects.

[shellygr]

dear lord. almost 100% AI slop

[shellygr]

incomplete. Math is defined in OpenZeppelin's Math.sol, so if it is somehow not part of the project we work on, the Math.Rounding won't type check

[shellygr]

I'm not sure what "Tight" means

[shellygr]

I would appreciate someone using thses summaries daily to say whether they're really good

[shellygr]

did not understand this part

[shellygr]

constQuotient is not defined

[shellygr]

nonsense

[shellygr]

that can be put maybe in the examples repository but not in the official docs

[shellygr]

what the hell is envelops and why does codex keep mentioning them?

[shellygr]

this is a legitimate rule but it's in the wrong section. Again, I think it should be in an examples repository for reward-distributing code

[shellygr]

again bullshit terminology

but this needs to be reviewed by someone working daily on FV of protocols