Video: Gas Bad NFT Marketplace - Recap - Assembly and Formal Verification

Support

_Follow along with this video:_ --- ### Section 3 Recap We just learnt a tonne, and in record time. Let's recap some of the things we covered in this sections. ### .conf By writing 2 more .conf files, we gained a bunch more experience in configuring our formal verification tests. We learnt different options within this configuration such as: - `rule_sanity` - We experimented with `basic` and `none` and saw how this affected Certora's assessment of the `sanity` or soundness of our tests - `prover_args` - options we can pass our CLI to fine tune the assumptions of the prover. > ❗ **IMPORTANT** > Remember, that while we can tweak our assumptions, it's important to be cautious when doing so. Setting `optimistic_fallback` to avoid HAVOCing external calls is a bad idea if you have reason to believe those external calls can be malicious. These assumptions configure the prover to rate situations as valid, but they may be **_unsound_**. ```js { "files": [ "src/GasBadNftMarketplace.sol:GasBadNftMarketplace", "src/NftMarketplace.sol:NftMarketplace", "test/mocks/NftMock.sol:NftMock" ], "verify": "GasBadNftMarketplace:certora/spec/GasBadNft.spec", "wait_for_results": "all", "rule_sanity": "basic", "optimistic_loop": true, "msg": "Verification of NftMarketplace", "prover_args": [ "optimistic_fallback": true ] } ``` ### Methods Block **Summary Declarations** We also learnt about summary declarations, the DISPATCHER summary in particular. Summary Declarations allow us to tell the Certora provers to replace any function logic with whatever behaviour we want. In the case of our external calls, we use the DISPATCHER summary in order to restrict what the prover expects to be the result of these calls, which is otherwise unpredictable. ```js function _.onERC721Received(address, address, uint256, bytes) external => DISPATCHER(true); function _.safeTransferFrom(address,address,uint256) external => DISPATCHER(true); ``` **currentContract** Additionally, we learnt that when we call a function in our methods block, it defaults to being called on the currentContract - the contract currently being verified. ```js function getListing(address,uint256) external returns (INftMarketplace.Listing) envfree; function getProceeds(address) external returns (uint256) envfree; ``` This above is functionally identical to: ```js function currentContract.getListing(address,uint256) external returns (INftMarketplace.Listing) envfree; function currentContract.getProceeds(address) external returns (uint256) envfree; ``` It's possible to abstract the contract on which a function is being called however by implementing a `wildcard entry`, such as we employed in our `_.onERC721Received` and `_.safeTransferFrom` functions. `_.` denotes a [**wildcard entry**](https://docs.certora.com/en/latest/docs/cvl/methods.html#wildcard-entries). In combination with our summary declarations, this allows us to configure particular functions to behave an expected way, regardless of the contract from which they are called. ### Ghost Variables We learnt about Ghost Variables and how to initialize them. By setting an initial\_\_state and axiom, we assure the prover assigns a particular value as a starting point for these variables. ```js ghost mathint listingUpdatesCount { init_state axiom listingUpdatesCount == 0; } ``` These variables function like contract state variables, and as such if the prover fails to predict an outcome of a prove, they are liable to being HAVOC'd (randomized). We can assure these variables are **not** HAVOC'd by applying the `persistent` keyword to them. ```js persistent ghost mathint listingUpdatesCount { init_state axiom listingUpdatesCount == 0; } ``` HAVOCing is an integral part of Certora proofs. If the prover is able to find a path in which it's able to potentially do anything - it will. It accomplishes this by randomizing our storage variables. When this happens, our ghost variables will be set to anything Certora can find that will break our rule. ### Hooks We also learnt that any time our protocol executes any number of op codes, we can configure Certora hooks to perform custom actions when executed. We demonstrated this by hooking SSTORE and LOG4 opcodes and used them to increment our ghost variables to be compared! ```js hook Sstore s_listings[KEY address nftAddress][KEY uint256 tokenId].price uint256 price { listingUpdatesCount = listingUpdatesCount + 1; } hook LOG4(uint offset, uint length, bytes32 t1, bytes32 t2, bytes32 t3, bytes32 t4) uint v { log4Count = log4Count + 1; } ``` ### Rules and Invariants We warmed up with a gorgeous, minimalistic invariant which we used to verify that every time storage was updated, an event would be emitted. ```js invariant anytime_mapping_updated_emit_event() listingUpdatesCount <= log4Count; ``` Finally, we also build a badass `parametric rule` which, after confirming the starting states of our contracts match, goes on to call the same function on both implementations (this function is randomized, but checked to match). We're then asserting that the states following our function calls also match, **_PROVING MATHEMATICALLY_** that our Solidity and Assembly implementations execute with the same behaviour! ```js rule calling_any_function_should_result_in_each_contract_having_the_same_state(method f, method f2, address listingAddr, uint256 tokenId, address seller){ env e; calldataarg args; // They start in the same state require(gasBadMarketplace.getProceeds(e, seller) == marketplace.getProceeds(e, seller)); require(gasBadMarketplace.getListing(e, listingAddr, tokenId).price == marketplace.getListing(e, listingAddr, tokenId).price); require(gasBadMarketplace.getListing(e, listingAddr, tokenId).seller == marketplace.getListing(e, listingAddr, tokenId).seller); // It's the same function on each require(f.selector == f2.selector); gasBadMarketplace.f(e, args); marketplace.f2(e, args); // They end in the same state assert(gasBadMarketplace.getListing(e, listingAddr, tokenId).price == marketplace.getListing(e, listingAddr, tokenId).price); assert(gasBadMarketplace.getListing(e, listingAddr, tokenId).seller == marketplace.getListing(e, listingAddr, tokenId).seller); assert(gasBadMarketplace.getProceeds(e, seller) == marketplace.getProceeds(e, seller)); } ``` This kind of equivalence checking is _exactly_ how the community will make Web3's future sustainable and accessible from a gas perspective. ### Wrap Up With that, we've come to the end of the Assembly, Formal Verification and EVM Opcodes course. This course was pretty quick compared to some others we've hosted, but it wasn't easy. You tackled a lot of advanced concepts and masters some really low level implementations. You should be very proud. > ❗ **PROTIP** > Make sure you push your projects to your GitHub account. Your GitHub profile should serve as your billboard to advertise your accomplishments and it's one of the first places companies will look when hiring. Now that you've gone through this whole thing, there are a number of things you _can_ and _should_ do. 1. [**CodeHawks**](https://www.codehawks.com/) - Full Stop. By now you have the experience and know what to expect when approaching complex code bases and you should absolutely dive into the challenge of live audits. Put your knowledge to the test. If you don't use it, you lose it. Keep an eye out for `Formal Verification` contests. 2. [**Dive into the Community**](https://discord.gg/cyfrin) - Join the Cyfrin discord and connect with like-minded students and auditors. The engaged community can help push you into your next steps. And as a personal favour, if you're on social media, post about your accomplishments here. Ping us in your post, tweet at us, get loud about what you've overcome and make the world aware of how far you've made it. Of course the course GitHub repo has a [**number of links**](https://github.com/Cyfrin/assembly-evm-opcodes-and-formal-verification-course?tab=readme-ov-file#where-do-i-go-now) to things you should consider doing next. Thanks so much for joining me, and I'll see you in Web3! 🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮 🧮 Exercises: 1. Compete in a formal verification contest! ### Section 3 NFT - [I can't stop you anymore (Arbitrum)](https://arbiscan.io/address/0x349364769030dAB260eF2771610C4860EE367202#code) - [I can't stop you (Sepolia)](https://sepolia.etherscan.io/address/0x7D4a746Cb398e5aE19f6cBDC08473664ADBc6da5) 🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮🧮 # Congratulations 🎊🎊🎊🎊🎊🎊🎊 Completed The Course! 🎊🎊🎊🎊🎊🎊🎊

Recap

Patrick discusses various concepts learned during the course, including prover arguments, summary types, ghost variables, Certora hooks, and formal verification. He highlights the importance of learning and career growth, and encourages CodeHawks contest participation.

Course Overview

About the course

What you'll learn

Assembly

Writing smart contracts using Huff and Yul

Ethereum Virtual Machine OPCodes

Formal verification testing

Smart contract invariant testing

Halmos, Certora, Kontrol

Course Description

Who is this course for?

Smart contract security researchers
Advanced Smart contract engineers
Chief Security Officiers
Security professionals

Potential Careers

Security researcher

$49,999 - $120,000 (avg. salary)

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Meet your instructors

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Guest lecturers:

Josselin Feist

Head of Blockchain at Trail of Bits

Last updated on June 6, 2025

Thanks for checking us out

Start learning for free

Start for free

Smart Contract Security Auditor Assembly and Formal Verification

Section 1: Introduction

Duration: 30min

Section 2: Horse Store

Duration: 4h 38min

Section 3: Math Masters

Duration: 3h 57min

1. Introduction

A practical introduction to formal verification and symbolic execution - This lesson is focused on introducing the concept of formal verification and symbolic execution as applied to smart contracts. Using a code base for a math library, we walk through an initial audit and then explore the use of the Certora tool to test for bugs. Duration: 7min

2. Scoping

A beginner’s guide to performing a security audit on a Solidity smart contract codebase. This lesson covers the basic elements of a solidity audit, including an explanation of the different tools and techniques used to perform the audit. It demonstrates how to use Slither, Adern, and Foundry to identify bugs and security vulnerabilities. Duration: 7min

3. Wad Ray Rad

A brief overview of WAD, RAY and RAD in solidity. The lesson covers what these terms mean, and how they are used to define the number of decimal places for different tokens. Duration: 2min

4. Version Compatibility

A quick guide to checking for version compatibility in Solidity. The lesson covers checking for compiler compatibility using a library, which may be necessary when using inherited libraries. In this lesson, the compiler is incompatible with the library because the library requires a newer version of the compiler to support its features. Duration: 1min

5. Mulwad

A deep dive into the muWad function in Solidity - The lesson examines the code used in a muWad function within a Solidity contract. Specifically, it analyzes the assembly code in depth, breaking down each line and the various opcodes used, with the use of a helpful tool called Chisel. Duration: 12min

6. Reverting

A deep dive into memory and revert in Solidity - This lesson provides a deep dive into the memory and revert opcodes. It explores how the memory opcodes work in the context of the EVM, and how to use the revert opcode in Solidity to throw a custom error. Duration: 4min

7. Spotting The Bug

A detailed look at a Solidity memory demonstration - This lesson covers the differences between Solidity's mstore and revert opcodes and how they interact with memory. We also discuss how they work with the Free Memory Pointer. Duration: 7min

8. Incorrect Memory Access

A deep dive into Incorrect Memory Access Bug Recap - This lesson revisits the memory access bug and identifies the error in the code, then utilizes a memory diagram to demonstrate the correct way to handle memory allocation and reversion. Duration: 1min

9. Error Code Function Selector

A detailed explanation of the function selectors error code. The lesson covers examining the function signature and how it can lead to incorrect function selectors. The lesson also covers the function selector for revert in Solidity. Duration: 1min

10. Finishing Mulwad

A technical deep dive into the Solidity function `mulWadUp` and its assembly code - the video highlights an audit process for a Solidity function which reveals several instances of unusual assembly code being used, including a blank message revert and a `div` function, before going into a breakdown of how the assembly code for the `mulWadUp` function actually works. Duration: 1min

11. Mulwadup

A detailed explanation on Solidity's 'or' command - A closer look at Solidity's 'or' command. This lesson shows how the 'or' command works in Solidity, and walks through a quick debugging scenario. Duration: 1min

12. Where Fuzzing Fails

A comprehensive guide to finding a bug in Solidity code using fuzz testing. The lesson covers how to set up fuzz testing in Foundry and provides an example to show how fuzz testing can be used to find edge cases and errors that are difficult to find with traditional unit testing. Duration: 10min

13. Sqrt Function Intro

A comprehensive guide to auditing square root functions in Solidity - This lesson covers formal verification of the square root function and also highlights a potential edge case that might be missed by a fuzzer. The video will introduce the student to two different approaches to finding a square root: using the Babylonian method in assembly and using the Solmate library's approach. Duration: 6min

14. Formal Verification

A comprehensive guide to Formal Verification and Symbolic Execution - This video walks through a high-level overview of formal verification and symbolic execution, covering how they're used for security and testing in web3, and the path explosion problem. Duration: 15min

15. The 4 Stages Of Invariant Tests

A practical guide to formal verification for smart contracts - This lesson shows a repo that includes minimized examples of smart contract exploits as well as different testing techniques for them. It includes examples of stateless fuzzing, stateful fuzzing, stateful fuzzing with a handler, and formal verification. You'll also learn about the pros and cons of each. Duration: 10min

16. Where Fuzzing Fails 2

A deep dive into where fuzzing fails - This lesson looks at an example of a code base where a fuzzer would give the false impression that there are no bugs. It then goes on to explore some of the potential reasons why fuzzing might fail to find bugs, including the possibility that a fuzzer might not be run for long enough. The lesson also considers the idea that, while fuzzing might be a powerful tool, some codebases might be so complex that they require manual auditing instead of fuzzing. Duration: 3min

17. Formal Verification Speedrun

A comprehensive guide to formal verification in Solidity. The lesson shows how to use formal verification tools (Halmos, K, and Certora) to find bugs in your code and demonstrate the advantages that formal verification offers in comparison to traditional fuzz testing. Duration: 4min

18. Formal Verification Setup

A comprehensive guide to Formal Verification - This lesson covers how to write formal verification suites, using two tools: Halmos and Certora. The lesson also highlights the trade-offs between these two formal verification tools. Duration: 1min

19. Wsl Python Setup

A practical guide to creating a Python virtual environment. This lesson demonstrates how to install the virtualenv library, and create and activate a virtual environment to ensure that project dependencies are isolated and do not conflict with other projects on your system. Duration: 11min

20. Halmos Wsl

A quick guide to installing and running Halmos on your computer. This lesson covers installing and setting up Halmos, as well as writing a simple test using an ERC20 token and showing it in action. Duration: 2min

21. Halmos

A comprehensive guide to symbolic testing with Halmos. This lesson provides you with the basics of setting up your Halmos testing environment, writing a simple Halmos test, and using Halmos to help you prove or disprove your assertions. Duration: 12min

22. Certora

A practical guide to formal verification using Certora. This lesson covers the concept of formal verification, how Certora can be used to ensure the security of smart contracts, and how to use the Certora prover. Duration: 3min

23. Certora Wsl

A comprehensive guide to installing Certora on your WSL environment. This lesson will teach you how to set up a virtual environment, install the Certora package, and add your personal access key as an environment variable. Duration: 2min

24. Setting Up Our Spec And Conf Folders

A beginner’s guide to running Certora formal verification tools using a simple example. This lesson covers the basic setup for Certora formal verification, including creating a ‘specs’ and ‘conf’ folder, writing a rule and an invariant, and explaining the different parameters that you need to provide Certora. Duration: 8min

25. Installing Certora

A comprehensive guide to installing Certora and solc-select - This lesson covers how to install the Certora prover package and solc-select in a Linux-like environment to set up your Solidity development environment. The guide covers setting up your personal access key as an environment variable, and explains the different ways to install and switch between Solidity compiler versions with solc-select. Duration: 5min

26. First Certora Run

A simple guide to running the Certora prover - This video lesson covers how to run a Certora prover using a terminal command line. The lesson covers the details of how to write the command line and how to understand the output that is generated once the prover has completed. Duration: 4min

27. The Methods Block

A technical guide to writing methods in the Certora prover using the “methods” block. This lesson covers the basics of the “methods” block and explains how to specify different methods and their returns. It also discusses the concepts of “envfree” tags and how they affect the proving process. Duration: 2min

28. lastReverted

A simple guide to using invariants in Certora. The lesson covers the key elements of an invariant as it relates to Solidity smart contracts. It walks through how to use Certora to ensure a smart contract never reverts when being run. Duration: 1min

29. Analyzing A Failed Certora Run

A practical guide to analyzing a failed Certora run - In this lesson, you will learn how to analyze a failed Certora run, including how to understand the different parts of the call trace, how to identify the counter-example that caused the failure, and how to interpret the results of the run. Duration: 5min

30. Require Statements

A detailed explanation of require statements in Solidity for Formal Verification. This lesson discusses the need to specify pre-conditions for Certora to run correctly, and walks through using 'require' statements to declare the initial state of storage variables. Duration: 2min

31. Failed Certora Run 2

A comprehensive guide to identifying and debugging a failed Certora Run 2 - The lesson covers the process of identifying and resolving an issue with a formal verification check. This involves looking at the Certora output, tracing the call stack and then looking at the code in order to identify the bug. Duration: 3min

32. Envfree

A detailed guide to understanding the 'envfree' function, and how the environment can be used as a first parameter in function calls in Certora. This lesson covers what the 'envfree' keyword does, how to pass an environment into a function, and how to use the environment to find edge cases that can break your invariants or rules in Certora. Duration: 6min

33. Leveling Up Our Conf File

A practical guide to leveling up your configuration file - The video explores several key parameters within your Certora configuration file such as 'wait for results' and 'rule sanity'. You will learn how to use these parameters to optimize your formal verification process. Duration: 2min

34. Formal Verification Introduction Recap

A quick introduction to formal verification in Solidity. The lesson goes over how to use the Halmos and Certora tools to verify a simple rule or invariant for a solidity contract. This example will show how to write a rule that proves that a function will never revert. Duration: 2min

35. Using Formal Verification On Math Masters

A fun challenge in formal verification to Math Masters - This lesson will use Halmos and Certora to do formal verification of two Solidity functions: mulWadUp and sqrt. The lesson will also reveal the clue that should've tipped you off that there was an issue with the sqrt function and that it was not actually passing. Duration: 1min

36. Halmos Mulwadup

A practical guide to path explosions and timeouts in formal verification - This lesson covers the importance of using fuzzing first in formal verification, as well as how to increase Halmos’ run time by modifying its parameters. Duration: 7min

37. Certora Mulwadup

A comprehensive guide to verifying internal functions and libraries in Solidity - This lesson focuses on understanding the use of code harnesses to verify the functionality of internal functions and libraries, and introduces Certora, a formal verification tool. Duration: 6min

38. Formal Verification Soundness

A technical guide to formal verification soundness - This lesson discusses the concept of soundness in formal verification, particularly as it relates to the Certora prover. We see an example of an unsound approximation, and learn how to address this problem. Duration: 2min

39. Definitions

A detailed breakdown of definitions in the Certora Verification Language - This lesson explains how to use definitions to encapsulate commonly used expressions. You will learn how to declare a definition, how to use a definition, and what kind of expressions you can encapsulate within a definition. Duration: 1min

40. Refactoring

A detailed guide to refactoring for CVL - This lesson covers how to refactor code for the Certora Verification Language (CVL) including using the `require` keyword, the concept of `max_uint`, and the difference between `mathint` and `uint256` types. Duration: 5min

41. Your First Certora Invariant

A detailed guide to writing and understanding invariants in Certora - The lesson covers the definition of an invariant and how to write one using the invariant keyword, and explains the difference between an invariant and a rule. Duration: 6min

42. Invariant Preserved Blocks

A comprehensive guide to using invariants and preserved blocks in Certora. This lesson covers the process of rewriting a rule to be an invariant in Certora, as well as the differences between a rule and an invariant. The lesson also shows how to use preserved blocks in conjunction with invariants to establish conditions necessary for the invariant to hold. Duration: 3min

43. Certora Recap

A comprehensive recap of Certora invariants, harness, rules, and types - This lesson covers the basics of formally verifying internal functions using Certora. It explains how to use harness to wrap and verify the functionality of a function, and how to use definitions to define different types of variables. The lesson also demonstrates how to define rules, including pre-conditions and post-conditions, and how to use invariants to ensure the properties of the system hold. Finally, the lesson shows how to perform correct conversions between different types using the assert keyword. Duration: 2min

44. Tackling The Sqrt Function

A comprehensive guide to tackling the SQRT function - This lesson walks through the process of auditing a square root function by comparing different codebases and testing cases to find the most accurate and secure solution. We also learn how to utilize fuzz testing to identify any potential errors within the SQRT function. Duration: 2min

45. Naive Formal Verification With Halmos

A naive approach to formal verification with Halmos - The video goes over how to use Halmos and how naive formal verification can be. Halmos is a tool that is used to formally verify solidity code. Duration: 2min

46. Naive Optimistic Loop

A detailed guide to using the Certora prover for verifying the SQRT function. This lesson covers how to use Certora to verify that the SQRT functions in different libraries are equivalent to each other and will also walk you through how to debug timeout errors when using Certora. Duration: 8min

47. Modular Verification

A practical guide to modular verification for Solidity. The lesson discusses how to break a complex problem into simpler subproblems and how to verify each part separately. The video then walks through a real-world example of finding a bug in a square root function by utilizing modular verification and a fuzz test. Duration: 11min

48. Sqrt Function Hint

A practical guide to finding a bug in a square root function using modular verification - In this lesson, we explore the concept of modular verification and use it to locate a bug in a square root function. We will leverage the Certora tool to execute verification checks, ensuring that our code matches the intended behavior of the square root function. Duration: 3min

49. Modular Verification Recap

A comprehensive guide to formal verification in Web3 – Learn how to use Certora to test your Solidity code. The lesson covers modular verification, how to use Certora's different functionalities, and how to write a detailed formal verification audit report. Duration: 9min

50. Recap

A comprehensive guide to Formal Verification - Let's dive deep into the world of Formal Verification with a detailed overview of the process. We'll learn how to identify potential vulnerabilities and bugs in Solidity code and verify that the code is functioning as intended. Duration: 6min

Section 4: Gas Bad NFT Marketplace

Duration: 1h 56min