Commit 65b99ce6 authored by Jakob Botsch Nielsen's avatar Jakob Botsch Nielsen
Browse files

Prove account balances are nonnegative

parent 71b1a654
Pipeline #13808 passed with stage
in 7 minutes and 32 seconds
...@@ -632,6 +632,14 @@ Proof. ...@@ -632,6 +632,14 @@ Proof.
cbn in *. cbn in *.
destruct_address_eq; congruence. destruct_address_eq; congruence.
Qed. Qed.
Lemma eval_amount_nonnegative : eval_amount eval >= 0.
Proof. now destruct eval. Qed.
Lemma eval_amount_le_account_balance :
eval_amount eval <= account_balance pre (eval_from eval).
Proof. now destruct eval. Qed.
End Theories. End Theories.
Section Trace. Section Trace.
...@@ -993,6 +1001,29 @@ Proof. ...@@ -993,6 +1001,29 @@ Proof.
contract_no_created_blocks; auto. contract_no_created_blocks; auto.
Qed. Qed.
Lemma account_balance_nonnegative state addr :
reachable state ->
account_balance state addr >= 0.
intros [trace].
remember empty_state eqn:eq.
induction trace; subst; cbn; try lia.
specialize (IHtrace eq_refl).
- (* New block *)
unfold add_balance.
inversion valid_header.
destruct_address_eq; lia.
- (* Action evaluation *)
rewrite (account_balance_post eval addr).
pose proof (eval_amount_nonnegative eval).
pose proof (eval_amount_le_account_balance eval).
destruct_address_eq; subst; cbn in *; lia.
- now rewrite <- prev_next.
End Theories. End Theories.
End Trace. End Trace.
End Semantics. End Semantics.
