_Follow along with this video:_ --- ### Proving Minting NFTs With a couple sanity checks out of the way, let's try something much harder and validate that `minting mints one NFT`. We'll set this up as a `rule` in our `NftMock.spec` file. We'll also have to add the `mint` function to our methods block, don't forget! ```js methods { function totalSupply() external returns uint256 envfree; function mint() external; } rule minting_mints_one_nft() { // Arrange // Act // Assert } ``` For this test, we're not going to configure things as `envfree`. This will afford us an opportunity to practice working with environment variables in `Certora`. We're going to set the `msg.value to 0` and assure that the address calling our mint function is always an expected `minter` address. ```js methods { function totalSupply() external returns uint256 envfree; function mint() external; } rule minting_mints_one_nft() { // Arrange env e; address minter; require e.msg.value == 0; require e.msg.sender == minter; // Act // Assert } ``` Now, in order to assure only 1 NFT is minted, we'll need to check the balance before and after minting. We can do this by adding balanceOf to our methods block and calling it in our test as demonstrated below. ```js methods { function totalSupply() external returns uint256 envfree; function mint() external; function balanceOf(address) external returns uint256 envfree; } rule minting_mints_one_nft() { // Arrange env e; address minter; require e.msg.value == 0; require e.msg.sender == minter; uint256 balanceBefore = balanceOf(minter); // Act // Assert } ``` It's time to act and finally mint the NFT, any time we want to reference the current contract that `Certora` is configured to verify, we can do so using `currentContract`. We'll then `assert` that the balance of `minter` _after_ the mint call is equal to the `balanceBefore` + 1. ```js methods { function totalSupply() external returns uint256 envfree; function mint() external; function balanceOf(address) external returns uint256 envfree; } rule minting_mints_one_nft() { // Arrange env e; address minter; require e.msg.value == 0; require e.msg.sender == minter; uint256 balanceBefore = balanceOf(minter); // Act currentContract.mint(e); // Assert assert(balanceOf(minter) == balanceBefore + 1, "Minting should only mint 1 NFT."); } ``` The above would absolutely work for our purposes, but it's worth pointing out that `uint256`, as we know, has a max value, and adding to that value is going to cause `overflow` and result in potential issues with our test. We can avoid this by instead typing `balanceBefore`, and the result of `balanceOf` in our assert statement, as `mathint`. ```js methods { function totalSupply() external returns uint256 envfree; function mint() external; function balanceOf(address) external returns uint256 envfree; } rule minting_mints_one_nft() { // Arrange env e; address minter; require e.msg.value == 0; require e.msg.sender == minter; mathint balanceBefore = balanceOf(minter); // Act currentContract.mint(e); // Assert assert(to_mathint(balanceOf(minter)) == balanceBefore + 1, "Minting should only mint 1 NFT."); } ``` ### Running the Prover With that, we can comment out our totalSupply invariant and run our prover to see what Certora can find. ```bash certoraRun ./certora/conf/NftMock.conf ``` And, after a brief wait for the server/process, we should see a successfully verification. ![proving-minting-nfts1](/formal-verification-3/7-proving-minting-nfts/proving-minting-nfts1.png) Good job!

Follow along with this video:

Proving Minting NFTs

With a couple sanity checks out of the way, let's try something much harder and validate that minting mints one NFT. We'll set this up as a rule in our NftMock.spec file. We'll also have to add the mint function to our methods block, don't forget!

methods {

function totalSupply() external returns uint256 envfree;

function mint() external;

}

rule minting_mints_one_nft() {

// Arrange

// Act

// Assert

}

For this test, we're not going to configure things as envfree. This will afford us an opportunity to practice working with environment variables in Certora. We're going to set the msg.value to 0 and assure that the address calling our mint function is always an expected minter address.

methods {

function totalSupply() external returns uint256 envfree;

function mint() external;

}

rule minting_mints_one_nft() {

// Arrange

env e;

address minter;

require e.msg.value == 0;

require e.msg.sender == minter;

// Act

// Assert

}

Now, in order to assure only 1 NFT is minted, we'll need to check the balance before and after minting. We can do this by adding balanceOf to our methods block and calling it in our test as demonstrated below.

methods {

function totalSupply() external returns uint256 envfree;

function mint() external;

function balanceOf(address) external returns uint256 envfree;

}

rule minting_mints_one_nft() {

// Arrange

env e;

address minter;

require e.msg.value == 0;

require e.msg.sender == minter;

uint256 balanceBefore = balanceOf(minter);

// Act

// Assert

}

It's time to act and finally mint the NFT, any time we want to reference the current contract that Certora is configured to verify, we can do so using currentContract. We'll then assert that the balance of minter after the mint call is equal to the balanceBefore + 1.

methods {

function totalSupply() external returns uint256 envfree;

function mint() external;

function balanceOf(address) external returns uint256 envfree;

}

rule minting_mints_one_nft() {

// Arrange

env e;

address minter;

require e.msg.value == 0;

require e.msg.sender == minter;

uint256 balanceBefore = balanceOf(minter);

// Act

currentContract.mint(e);

// Assert

assert(balanceOf(minter) == balanceBefore + 1, "Minting should only mint 1 NFT.");

}

The above would absolutely work for our purposes, but it's worth pointing out that uint256, as we know, has a max value, and adding to that value is going to cause overflow and result in potential issues with our test. We can avoid this by instead typing balanceBefore, and the result of balanceOf in our assert statement, as mathint.

methods {

function totalSupply() external returns uint256 envfree;

function mint() external;

function balanceOf(address) external returns uint256 envfree;

}

rule minting_mints_one_nft() {

// Arrange

env e;

address minter;

require e.msg.value == 0;

require e.msg.sender == minter;

mathint balanceBefore = balanceOf(minter);

// Act

currentContract.mint(e);

// Assert

assert(to_mathint(balanceOf(minter)) == balanceBefore + 1, "Minting should only mint 1 NFT.");

}

Running the Prover

With that, we can comment out our totalSupply invariant and run our prover to see what Certora can find.

certoraRun ./certora/conf/NftMock.conf

And, after a brief wait for the server/process, we should see a successfully verification.

proving-minting-nfts1

Good job!

Proving Minting Nfts

In this lesson we set up and run tests to verify that minting does in fact only mint one NFT.

Give us feedback

Course Overview

About the course

What you'll learn

Assembly

Writing smart contracts using Huff and Yul

Ethereum Virtual Machine OPCodes

Formal verification testing

Smart contract invariant testing

Halmos, Certora, Kontrol

Course Description

Who is this course for?

Smart contract security researchers
Advanced Smart contract engineers
Chief Security Officiers
Security professionals

Potential Careers

Security researcher

$49,999 - $120,000 (avg. salary)

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Meet your instructors

Patrick Collins

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Guest lecturers:

Josselin Feist

Head of Blockchain at Trail of Bits

Last updated on August 11, 2025

Thanks for checking us out

Sign up for free to continue your blockchain learning!

Start learning for free

Start for free

Smart Contract Security Auditor Assembly and Formal Verification

Section 1: Introduction

Duration: 30min

Section 2: Horse Store

Duration: 4h 39min

Section 3: Math Masters

Duration: 3h 58min

Section 4: Gas Bad NFT Marketplace

Duration: 1h 56min

1. A Message From Ankr

Learn more about Ankr @ https://www.ankr.com/. Duration: 0min

2. Introduction

Introducing the final section of the Assembly EVM Opcodes and Formal Verification Course! Strap in for one more! Duration: 6min

We walk through setting up the Gas Bad NFT Marketplace locally and begin discussing the code base. Duration: 2min

4. Emitting Logs With Assembly Log 4

Patrick demonstrates efficient gas usage for logs through assembly code, explaining key parts and stressing the need for accurate event emission checks during audits. Duration: 3min

5. Formal Verification Game Plan

In this lesson we outline our roadmap to approach this NFT repo and how we'll use various formal verification techniques to verify and secure it. Duration: 3min

6. Verifying NFTmock

Patrick uses Certora's prover to formally verify our NFTMock contract! Duration: 4min

7. totalSupply > 0

In this video, Patrick demonstrates the process of creating invariants or rules for smart contracts using Certora, ensuring that the total supply of NFT tokens is never negative. Duration: 7min

8. Proving Minting Nfts

In this lesson we set up and run tests to verify that minting does in fact only mint one NFT. Duration: 5min

9. Parametric Rules

In this lesson, Patrick explains Parametric rules and how they're used with respect to Certora's prover. Duration: 5min

10. NFTmock Verification Recap

Lesson covers syntax & functionality of rule checks, emphasizing invariants as a vital tool for verification. Patrick touches on the importance of sanity checks. Duration: 2min

11. Formal Vertification Setup

Patrick focuses on setting up and optimizing verification process with detailed guidance on config files, contract code, and prover args. Duration: 2min

12. Ghosts and Hooks

Patrick teaches how to use ghost variables and hooks to enforce proper event emissions in Solidity smart contracts and Certora. Duration: 8min

13. init_state and Axioms

Key focus on initializing ghost variables and creating an initial state axiom, writing rules and invariants for storage updates and event omissions to ensure their validity. Duration: 5min

14. Analyzing Certora Errors 3

Patrick dives deep into a call trace to determine the cause of errors found by Certora's prover. Duration: 9min

15. Persistent Ghosts

Patrick outlines the use of the `persistent` keyword in Certora and it's application to ghost variables in formal verification tests. Duration: 1min

16. Method Summaries Introduction

Patrick introduces us to method summaries and method blocks in this lesson about additional Certora features. Duration: 3min

17. Method Entries Introduction

Patrick covers various ways to define functions for contracts in Certora, including exact entries, wildcard entries, summary declarations, catch-all entries, visibility modifiers, and function options. He emphasizes the flexibility and control available when specifying how functions interact with a system. Duration: 2min

18. Summary Declaration Examples

Patrick explains different types of function summaries like view, Havoc, and dispatcher, their usage and benefits. Duration: 2min

19. Summary Implementations

Patrick details explicit assumptions, Certora's dispatcher and their importance. Duration: 14min

20. Optimistic Fallback Prover Args

This lesson emphasizes using Prover Args for argument configuration and setting OptimisticFallback to true. Patrick explains the importance of exploring different Prover Arg types for tailored configurations. Duration: 2min

This video focuses on vacuity issues in rule problems, demonstrating how unchecked assertions can arise when no input satisfies all requirements defined by the spec. Duration: 3min

22. Mid Lesson Recap

We recap topics covered so far and the advantages of leveraging formal verification. Duration: 2min

23. Equivalence Checking Solidity Reference

In this video, Patrick demonstrates a rule in Cetora for formal verification proofs. The rule involves an undefined method variable and ensures that calling a function results in 2 contracts having the same state. Duration: 3min

24. Method Filtering

Patrick explains how to filter rules in a code base using Satora prover for more efficient verification Duration: 2min

In this lesson, Patrick details the functionality and use of the `using` keyword. Duration: 1min

26. Finishing The Rule

Patrick suggests methods to address issues flagged by Certora and ensure successful comparisons between contracts. Duration: 10min

27. Do You Understand How Cool Is This

We take a moment to appreciate the power and potential of tools like formal verification in securing web3. Duration: 2min

Patrick discusses various concepts learned during the course, including prover arguments, summary types, ghost variables, Certora hooks, and formal verification. He highlights the importance of learning and career growth, and encourages CodeHawks contest participation. Duration: 8min

Give us feedback!

Course Overview

About the course

What you'll learn

Assembly

Writing smart contracts using Huff and Yul

Ethereum Virtual Machine OPCodes

Formal verification testing

Smart contract invariant testing

Halmos, Certora, Kontrol

Course Description

Who is this course for?

Smart contract security researchers
Advanced Smart contract engineers
Chief Security Officiers
Security professionals

Potential Careers

Security researcher

$49,999 - $120,000 (avg. salary)

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Meet your instructors

Patrick Collins

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Guest lecturers:

Josselin Feist

Head of Blockchain at Trail of Bits

Last updated on August 11, 2025