2026-03-28 Vault Hardening + Strict Certora Record¶
Scope¶
This document records the contract hardening and verification reruns completed on 2026-03-28.
Contract hardening changes¶
- Running-phase principal protection (
WithdrawalVault) - Added
PrincipalProtectionActive. - Running-phase rewards now return
0oncebalance >= principalTargetWei. - Running-phase beneficiary claim entry points revert once
balance >= principalTargetWei: initiateClaimRewardsfinalizeClaimRewards-
File:
/home/user/centurion/centurion-networks/mainnet/contracts/src/WithdrawalVault.sol -
On-chain principal target enforcement (
VaultFactory) - Added factory-level hard check:
principalTargetWei == 32 ether. - Revert on mismatch:
InvalidPrincipalTarget. -
File:
/home/user/centurion/centurion-networks/mainnet/contracts/src/VaultFactory.sol -
Test updates
- Updated adversarial/race tests for the new guard behavior.
- Updated factory test to require revert for non-32 principal target.
- File:
/home/user/centurion/centurion-networks/mainnet/contracts/test/WithdrawalVault.t.sol
Certora configuration hardening¶
Canonical confs were changed to remove optimistic proving options:
- Removed optimistic_loop
- Removed optimistic_fallback
Updated confs:
- /home/user/centurion/centurion-networks/mainnet/contracts/verification/certora/conf/vault_economics.conf
- /home/user/centurion/centurion-networks/mainnet/contracts/verification/certora/conf/vault_access.conf
- /home/user/centurion/centurion-networks/mainnet/contracts/verification/certora/conf/router.conf
- /home/user/centurion/centurion-networks/mainnet/contracts/verification/certora/conf/factory.conf
Spec cleanup:
- /home/user/centurion/centurion-networks/mainnet/contracts/verification/certora/specs/VaultEconomics.spec
- Removed invalid strict-mode balance-cap rule and kept cap invariant with explicit precondition.
Exact commands run (from /home/user/centurion/centurion-networks/mainnet/contracts/verification)¶
certoraRun certora/conf/vault_economics.conf --wait_for_results all
certoraRun certora/conf/vault_access.conf --wait_for_results all
certoraRun certora/conf/router.conf --wait_for_results all
certoraRun certora/conf/factory.conf --wait_for_results all
certoraRun certora/conf/vault_access_strict.conf --wait_for_results all
Strict run results¶
All runs completed with No errors found by Prover!.
vault_economics.conf: https://prover.certora.com/output/2263068/e7d18b41395844cc824d303fbda729d3vault_access.conf: https://prover.certora.com/output/2263068/eb1ea65de2244a42bb2742d4b3e66b1erouter.conf: https://prover.certora.com/output/2263068/4f05528cf1af425bbf4beb92ba3bc98efactory.conf: https://prover.certora.com/output/2263068/511f8089b3414b42b25937161790b093vault_access_strict.conf: https://prover.certora.com/output/2263068/1fb722019bdb44e8b62b2263272b6203
Environment note¶
forge is not installed in this environment, so Foundry tests were not executed here.
Contract compilation and Certora runs were executed with a native ARM solc binary at:
/home/user/centurion/centurion-networks/mainnet/contracts/verification/tools/solc-linux-arm64-v0.8.31+commit.fd3a2265