Support

--- ### Teasing Out Verification Efforts: When Testing Reveals More Imagine you're eagerly unearthing "edge cases"—these rare conditions that expose the flaws in your code. You think you've covered every possible scenario, and then bam, you find one where the function isn't rounding up as you expect. During an audit, you might notice a particular line of code and think, "Hey, this isn't necessary," and that realization paves the way forward. It’s one small step on a path kidding with obstacles, but inching closer toward certainty in our codebase assures us that we can progress with confidence. This is the initial dance of auditing: sifting through the good to uncover and resolve the glitches. ### The Tricky Business of Computing Square Roots in Solidity Arriving at the last leg of our verification voyage, we encounter the square root function—a mountain of complexity in and of itself. Crafting square roots in Solidity can be likened to scaling a steep, unforgiving cliff. Why? Solidity's inherent limitations make iterating through looped calculations, like those needed for conventional square root algorithms, gas guzzling and inefficacious. Let's take a glance at a common Solidity pattern drawn from Uniswap, known as the `uni square root`. The routine cradles a `while` loop that continuously revises the value of 'x' until it meets certain criteria. Yet, this is inherently taxing on gas—Ethereum's precious computational resource. Sighing in inefficiency, we introduce our bespoke approach: harnessing the raw power of assembly within Solidity to enact the venerable Babylonian method for square root calculations. ### Babbling About Babylonian Methods Under the hood, buried in our code repository—affectionately dubbed 'Mathmasters'—you'll find an assembly implementation of the square root function. Revealing this intricate tapestry of low-level operations may beckon the curious to tarry and unpack the underlying math (and for those with eager minds, Wikipedia hosts a treasure trove of information on this age-old algorithm). Here’s a fun notion to ponder: imagine setting a variable 'Z' to the enigmatic '181y181' as part of such an algorithm. Cryptic, isn't it? Without venturing too far down the assembly rabbit hole in this narrative, let's acknowledge the cast of operations at play—bitwise 'or', multiplication 'mole', and the likes. Each actor contributes to our goal: a mathematically sound square root. Yet, the task remains to assure that this cryptic code delivers what we desire. ### Putting the Code to the Test In the pursuit of certainty, our weapon of choice is testing—particularly 'fuzz tests'. These are crafty little scenarios that prod and poke at our functions with a barrage of inputs to catch any inconsistencies. Specifically, when it comes to the Mathmasters square root, we have golden references like the Uniswap square root and another variant from a Github repository known as 'transmissions11 solmate'. By juxtaposing our implementation against these known quantities, we perform a form of differential testing, ensuring that our new square root function stands up to the rigors of their results. We double down on this effort with a battery of fuzz tests—named `test square root fuzz uni` and `test square root fuzz solmate`. As you might discern, we’re dealing with a methodical comparison of Mathmasters' square root to those other Noble Square Roots of the Blockchain Realm. It's a meticulous process, one that fosters confidence in the soundness of our function. You could, if you wished, dive deeper, pause the reading, and verify these values yourself. After all, ownership of understanding in code is empowerment. ### The Runaround With Fuzzing and the Search for Edge Cases Now, to the practicality of testing. In our Forge testing configuration, we grapple with the choice of how extensive our trials should be. Should we settle for a modest number of runs or pursue an exhaustive battery of tests to the point of absurdity? Remember, even with a high number of fuzz runs, stumbling upon an edge case through sheer luck is akin to finding a grain of sand in the desert. So, imagine our conundrum—we can run this ad infinitum, convincing ourselves we’ve dodged all bugs, yet without reaching absolute certainty. In the realm of mathematical functions like square roots, 99% confident just doesn’t cut it; we need 100% assuredness. ### Formal Verification and Heuristics: Ensuring Mathematical Soundness The path to unshakable confidence in our square root function splits in two. First, we have the arduous trail of formal verification—a rigorous mathematical approach to prove the correctness of our algorithm. It's a technique not for the faint of heart, but it stands as the bastion of reliability in critical code. Next, we offer a simpler guide—a heuristic signpost that might tip you off during an audit. This is the subtle hint, the nudge to say, "Something’s amiss here," sparking a deeper examination of the code. In short, we're bestowed with a powerful ensemble: an assembly-written `square root` function awaiting verification and a duo of fuzz tests checking it against seasoned contenders. It's within this matrix we labor, seeking confidence, not through luck or endless runs, but through methodical cross-examination and, if necessary, the steely resolve of formal substantiation. Perpetually challenged yet undaunted, we persist in perfecting our code, meter by meter. Our goal? Mathematical accuracy and efficiency that would make even the ancients nod in approval. The quest for the perfect solidity square root function is not just a tale of logic and loops—it’s an odyssey of precision, perseverance, and discovery. And as we set out on this expedition, we unleash a message to our fellow developers: may your code be elegant, your functions gas-light, and your results squared away impeccably! --- _The exquisite dance of coding in Solidity, with its quirks and its demands, requires a delicate balance of skill and insight. Our exploration of the square root function serves as both a cautionary tale and a beacon of hope for what can be achieved through a combination of coding finesse and unwavering dedication to accuracy._ **Remember**: `"In a world of while loops and gas fees, async-await the arrival of an efficient square root solution."` Dive into the depths of mathematical lore and coding prowess with us. Test, fuzz, and verify until you can declare with certitude: "This is the square root function that Solidity deserves."

Sqrt Function Intro

A comprehensive guide to auditing square root functions in Solidity - This lesson covers formal verification of the square root function and also highlights a potential edge case that might be missed by a fuzzer. The video will introduce the student to two different approaches to finding a square root: using the Babylonian method in assembly and using the Solmate library's approach.

Course Overview

About the course

What you'll learn

Assembly

Writing smart contracts using Huff and Yul

Ethereum Virtual Machine OPCodes

Formal verification testing

Smart contract invariant testing

Halmos, Certora, Kontrol

Course Description

Who is this course for?

Smart contract security researchers
Advanced Smart contract engineers
Chief Security Officiers
Security professionals

Potential Careers

Security researcher

$49,999 - $120,000 (avg. salary)

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Meet your instructors

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Guest lecturers:

Josselin Feist

Head of Blockchain at Trail of Bits

Last updated on January 17, 2025

Thanks for checking us out

Start learning for free

Start for free

Solidity Developer

Assembly and Formal Verification

Section 1: Introduction

Duration: 30min

Section 2: Horse Store

Duration: 4h 38min

Section 3: Math Masters

Duration: 3h 57min

1. Introduction

A practical introduction to formal verification and symbolic execution - This lesson is focused on introducing the concept of formal verification and symbolic execution as applied to smart contracts. Using a code base for a math library, we walk through an initial audit and then explore the use of the Certora tool to test for bugs. Duration: 7min

2. Scoping

A beginner’s guide to performing a security audit on a Solidity smart contract codebase. This lesson covers the basic elements of a solidity audit, including an explanation of the different tools and techniques used to perform the audit. It demonstrates how to use Slither, Adern, and Foundry to identify bugs and security vulnerabilities. Duration: 7min

3. Wad Ray Rad

A brief overview of WAD, RAY and RAD in solidity. The lesson covers what these terms mean, and how they are used to define the number of decimal places for different tokens. Duration: 2min

4. Version Compatibility

A quick guide to checking for version compatibility in Solidity. The lesson covers checking for compiler compatibility using a library, which may be necessary when using inherited libraries. In this lesson, the compiler is incompatible with the library because the library requires a newer version of the compiler to support its features. Duration: 1min

5. Mulwad

A deep dive into the muWad function in Solidity - The lesson examines the code used in a muWad function within a Solidity contract. Specifically, it analyzes the assembly code in depth, breaking down each line and the various opcodes used, with the use of a helpful tool called Chisel. Duration: 12min

6. Reverting

A deep dive into memory and revert in Solidity - This lesson provides a deep dive into the memory and revert opcodes. It explores how the memory opcodes work in the context of the EVM, and how to use the revert opcode in Solidity to throw a custom error. Duration: 4min

7. Spotting The Bug

A detailed look at a Solidity memory demonstration - This lesson covers the differences between Solidity's mstore and revert opcodes and how they interact with memory. We also discuss how they work with the Free Memory Pointer. Duration: 7min

8. Incorrect Memory Access

A deep dive into Incorrect Memory Access Bug Recap - This lesson revisits the memory access bug and identifies the error in the code, then utilizes a memory diagram to demonstrate the correct way to handle memory allocation and reversion. Duration: 1min

9. Error Code Function Selector

A detailed explanation of the function selectors error code. The lesson covers examining the function signature and how it can lead to incorrect function selectors. The lesson also covers the function selector for revert in Solidity. Duration: 1min

10. Finishing Mulwad

A technical deep dive into the Solidity function `mulWadUp` and its assembly code - the video highlights an audit process for a Solidity function which reveals several instances of unusual assembly code being used, including a blank message revert and a `div` function, before going into a breakdown of how the assembly code for the `mulWadUp` function actually works. Duration: 1min

11. Mulwadup

A detailed explanation on Solidity's 'or' command - A closer look at Solidity's 'or' command. This lesson shows how the 'or' command works in Solidity, and walks through a quick debugging scenario. Duration: 1min

12. Where Fuzzing Fails

A comprehensive guide to finding a bug in Solidity code using fuzz testing. The lesson covers how to set up fuzz testing in Foundry and provides an example to show how fuzz testing can be used to find edge cases and errors that are difficult to find with traditional unit testing. Duration: 10min

13. Sqrt Function Intro

14. Formal Verification

A comprehensive guide to Formal Verification and Symbolic Execution - This video walks through a high-level overview of formal verification and symbolic execution, covering how they're used for security and testing in web3, and the path explosion problem. Duration: 15min

15. The 4 Stages Of Invariant Tests

A practical guide to formal verification for smart contracts - This lesson shows a repo that includes minimized examples of smart contract exploits as well as different testing techniques for them. It includes examples of stateless fuzzing, stateful fuzzing, stateful fuzzing with a handler, and formal verification. You'll also learn about the pros and cons of each. Duration: 10min

16. Where Fuzzing Fails 2

A deep dive into where fuzzing fails - This lesson looks at an example of a code base where a fuzzer would give the false impression that there are no bugs. It then goes on to explore some of the potential reasons why fuzzing might fail to find bugs, including the possibility that a fuzzer might not be run for long enough. The lesson also considers the idea that, while fuzzing might be a powerful tool, some codebases might be so complex that they require manual auditing instead of fuzzing. Duration: 3min

17. Formal Verification Speedrun

A comprehensive guide to formal verification in Solidity. The lesson shows how to use formal verification tools (Halmos, K, and Certora) to find bugs in your code and demonstrate the advantages that formal verification offers in comparison to traditional fuzz testing. Duration: 4min

18. Formal Verification Setup

A comprehensive guide to Formal Verification - This lesson covers how to write formal verification suites, using two tools: Halmos and Certora. The lesson also highlights the trade-offs between these two formal verification tools. Duration: 1min

19. Wsl Python Setup

A practical guide to creating a Python virtual environment. This lesson demonstrates how to install the virtualenv library, and create and activate a virtual environment to ensure that project dependencies are isolated and do not conflict with other projects on your system. Duration: 11min

20. Halmos Wsl

A quick guide to installing and running Halmos on your computer. This lesson covers installing and setting up Halmos, as well as writing a simple test using an ERC20 token and showing it in action. Duration: 2min

21. Halmos

A comprehensive guide to symbolic testing with Halmos. This lesson provides you with the basics of setting up your Halmos testing environment, writing a simple Halmos test, and using Halmos to help you prove or disprove your assertions. Duration: 12min

22. Certora

A practical guide to formal verification using Certora. This lesson covers the concept of formal verification, how Certora can be used to ensure the security of smart contracts, and how to use the Certora prover. Duration: 3min

23. Certora Wsl

A comprehensive guide to installing Certora on your WSL environment. This lesson will teach you how to set up a virtual environment, install the Certora package, and add your personal access key as an environment variable. Duration: 2min

24. Setting Up Our Spec And Conf Folders

A beginner’s guide to running Certora formal verification tools using a simple example. This lesson covers the basic setup for Certora formal verification, including creating a ‘specs’ and ‘conf’ folder, writing a rule and an invariant, and explaining the different parameters that you need to provide Certora. Duration: 8min

25. Installing Certora

A comprehensive guide to installing Certora and solc-select - This lesson covers how to install the Certora prover package and solc-select in a Linux-like environment to set up your Solidity development environment. The guide covers setting up your personal access key as an environment variable, and explains the different ways to install and switch between Solidity compiler versions with solc-select. Duration: 5min

26. First Certora Run

A simple guide to running the Certora prover - This video lesson covers how to run a Certora prover using a terminal command line. The lesson covers the details of how to write the command line and how to understand the output that is generated once the prover has completed. Duration: 4min

27. The Methods Block

A technical guide to writing methods in the Certora prover using the “methods” block. This lesson covers the basics of the “methods” block and explains how to specify different methods and their returns. It also discusses the concepts of “envfree” tags and how they affect the proving process. Duration: 2min

28. lastReverted

A simple guide to using invariants in Certora. The lesson covers the key elements of an invariant as it relates to Solidity smart contracts. It walks through how to use Certora to ensure a smart contract never reverts when being run. Duration: 1min

29. Analyzing A Failed Certora Run

A practical guide to analyzing a failed Certora run - In this lesson, you will learn how to analyze a failed Certora run, including how to understand the different parts of the call trace, how to identify the counter-example that caused the failure, and how to interpret the results of the run. Duration: 5min

30. Require Statements

A detailed explanation of require statements in Solidity for Formal Verification. This lesson discusses the need to specify pre-conditions for Certora to run correctly, and walks through using 'require' statements to declare the initial state of storage variables. Duration: 2min

31. Failed Certora Run 2

A comprehensive guide to identifying and debugging a failed Certora Run 2 - The lesson covers the process of identifying and resolving an issue with a formal verification check. This involves looking at the Certora output, tracing the call stack and then looking at the code in order to identify the bug. Duration: 3min

32. Envfree

A detailed guide to understanding the 'envfree' function, and how the environment can be used as a first parameter in function calls in Certora. This lesson covers what the 'envfree' keyword does, how to pass an environment into a function, and how to use the environment to find edge cases that can break your invariants or rules in Certora. Duration: 6min

33. Leveling Up Our Conf File

A practical guide to leveling up your configuration file - The video explores several key parameters within your Certora configuration file such as 'wait for results' and 'rule sanity'. You will learn how to use these parameters to optimize your formal verification process. Duration: 2min

34. Formal Verification Introduction Recap

A quick introduction to formal verification in Solidity. The lesson goes over how to use the Halmos and Certora tools to verify a simple rule or invariant for a solidity contract. This example will show how to write a rule that proves that a function will never revert. Duration: 2min

35. Using Formal Verification On Math Masters

A fun challenge in formal verification to Math Masters - This lesson will use Halmos and Certora to do formal verification of two Solidity functions: mulWadUp and sqrt. The lesson will also reveal the clue that should've tipped you off that there was an issue with the sqrt function and that it was not actually passing. Duration: 1min

36. Halmos Mulwadup

A practical guide to path explosions and timeouts in formal verification - This lesson covers the importance of using fuzzing first in formal verification, as well as how to increase Halmos’ run time by modifying its parameters. Duration: 7min

37. Certora Mulwadup

A comprehensive guide to verifying internal functions and libraries in Solidity - This lesson focuses on understanding the use of code harnesses to verify the functionality of internal functions and libraries, and introduces Certora, a formal verification tool. Duration: 6min

38. Formal Verification Soundness

A technical guide to formal verification soundness - This lesson discusses the concept of soundness in formal verification, particularly as it relates to the Certora prover. We see an example of an unsound approximation, and learn how to address this problem. Duration: 2min

39. Definitions

A detailed breakdown of definitions in the Certora Verification Language - This lesson explains how to use definitions to encapsulate commonly used expressions. You will learn how to declare a definition, how to use a definition, and what kind of expressions you can encapsulate within a definition. Duration: 1min

40. Refactoring

A detailed guide to refactoring for CVL - This lesson covers how to refactor code for the Certora Verification Language (CVL) including using the `require` keyword, the concept of `max_uint`, and the difference between `mathint` and `uint256` types. Duration: 5min

41. Your First Certora Invariant

A detailed guide to writing and understanding invariants in Certora - The lesson covers the definition of an invariant and how to write one using the invariant keyword, and explains the difference between an invariant and a rule. Duration: 6min

42. Invariant Preserved Blocks

A comprehensive guide to using invariants and preserved blocks in Certora. This lesson covers the process of rewriting a rule to be an invariant in Certora, as well as the differences between a rule and an invariant. The lesson also shows how to use preserved blocks in conjunction with invariants to establish conditions necessary for the invariant to hold. Duration: 3min

43. Certora Recap

A comprehensive recap of Certora invariants, harness, rules, and types - This lesson covers the basics of formally verifying internal functions using Certora. It explains how to use harness to wrap and verify the functionality of a function, and how to use definitions to define different types of variables. The lesson also demonstrates how to define rules, including pre-conditions and post-conditions, and how to use invariants to ensure the properties of the system hold. Finally, the lesson shows how to perform correct conversions between different types using the assert keyword. Duration: 2min

44. Tackling The Sqrt Function

A comprehensive guide to tackling the SQRT function - This lesson walks through the process of auditing a square root function by comparing different codebases and testing cases to find the most accurate and secure solution. We also learn how to utilize fuzz testing to identify any potential errors within the SQRT function. Duration: 2min

45. Naive Formal Verification With Halmos

A naive approach to formal verification with Halmos - The video goes over how to use Halmos and how naive formal verification can be. Halmos is a tool that is used to formally verify solidity code. Duration: 2min

46. Naive Optimistic Loop

A detailed guide to using the Certora prover for verifying the SQRT function. This lesson covers how to use Certora to verify that the SQRT functions in different libraries are equivalent to each other and will also walk you through how to debug timeout errors when using Certora. Duration: 8min

47. Modular Verification

A practical guide to modular verification for Solidity. The lesson discusses how to break a complex problem into simpler subproblems and how to verify each part separately. The video then walks through a real-world example of finding a bug in a square root function by utilizing modular verification and a fuzz test. Duration: 11min

48. Sqrt Function Hint

A practical guide to finding a bug in a square root function using modular verification - In this lesson, we explore the concept of modular verification and use it to locate a bug in a square root function. We will leverage the Certora tool to execute verification checks, ensuring that our code matches the intended behavior of the square root function. Duration: 3min

49. Modular Verification Recap

A comprehensive guide to formal verification in Web3 – Learn how to use Certora to test your Solidity code. The lesson covers modular verification, how to use Certora's different functionalities, and how to write a detailed formal verification audit report. Duration: 9min

50. Recap

A comprehensive guide to Formal Verification - Let's dive deep into the world of Formal Verification with a detailed overview of the process. We'll learn how to identify potential vulnerabilities and bugs in Solidity code and verify that the code is functioning as intended. Duration: 6min

Section 4: Gas Bad NFT Marketplace

Duration: 1h 56min