From 783e741609edd38b74911ea7fb2a6792c55c011d Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 29 Feb 2024 13:40:02 -0500
Subject: [PATCH 01/18] rate_limit: add fuzz test for outbound transfers

---
 evm/test/RateLimit.t.sol | 64 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index c6f24e23c..12f6428d5 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -444,6 +444,70 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         nttManager.completeOutboundQueuedTransfer(0);
     }
 
+    function testFuzz_outboundRateLimitShouldQueue(uint256 limitAmt, uint256 transferAmt) public {
+        // setup
+        address user_A = address(0x123);
+        address user_B = address(0x456);
+        DummyToken token = DummyToken(nttManager.token());
+        uint8 decimals = token.decimals();
+
+        // inputs
+        uint256 totalAmt = (type(uint64).max) / (10 ** decimals);
+        // avoids the ZeroAmount() error
+        // cannot transfer more than what's available
+        vm.assume(transferAmt > 0 && transferAmt <= totalAmt);
+        // this ensures that the transfer is always queued up
+        vm.assume(limitAmt < transferAmt);
+
+        // mint
+        token.mintDummy(address(user_A), totalAmt * (10 ** decimals));
+        uint256 outboundLimit = limitAmt * (10 ** decimals);
+        nttManager.setOutboundLimit(outboundLimit);
+
+        vm.startPrank(user_A);
+
+        // initiate transfer
+        uint256 transferAmount = transferAmt * (10 ** decimals);
+        token.approve(address(nttManager), transferAmount);
+
+        // shouldQueue == true
+        uint64 qSeq = nttManager.transfer(
+            transferAmount, chainId, toWormholeFormat(user_B), true, new bytes(1)
+        );
+
+        // assert that the transfer got queued up
+        assertEq(qSeq, 0);
+        IRateLimiter.OutboundQueuedTransfer memory qt = nttManager.getOutboundQueuedTransfer(0);
+        assertEq(qt.amount.getAmount(), transferAmount.trim(decimals, decimals).getAmount());
+        assertEq(qt.recipientChain, chainId);
+        assertEq(qt.recipient, toWormholeFormat(user_B));
+        assertEq(qt.txTimestamp, initialBlockTimestamp);
+
+        // assert that the contract also locked funds from the user
+        assertEq(token.balanceOf(address(user_A)), totalAmt * (10 ** decimals) - transferAmount);
+        assertEq(token.balanceOf(address(nttManager)), transferAmount);
+
+        // elapse rate limit duration - 1
+        uint256 durationElapsedTime = initialBlockTimestamp + nttManager.rateLimitDuration();
+        vm.warp(durationElapsedTime - 1);
+
+        // assert that transfer still can't be completed
+        bytes4 stillQueuedSelector =
+            bytes4(keccak256("OutboundQueuedTransferStillQueued(uint64,uint256)"));
+        vm.expectRevert(abi.encodeWithSelector(stillQueuedSelector, 0, initialBlockTimestamp));
+        nttManager.completeOutboundQueuedTransfer(0);
+
+        // now complete transfer
+        vm.warp(durationElapsedTime);
+        uint64 seq = nttManager.completeOutboundQueuedTransfer(0);
+        assertEq(seq, 0);
+
+        // now ensure transfer was removed from queue
+        bytes4 notFoundSelector = bytes4(keccak256("OutboundQueuedTransferNotFound(uint64)"));
+        vm.expectRevert(abi.encodeWithSelector(notFoundSelector, 0));
+        nttManager.completeOutboundQueuedTransfer(0);
+    }
+
     function test_inboundRateLimit_simple() public {
         address user_B = address(0x456);
 

From 23db655f8dc55cba6e23936861dcf035ffa2c33c Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 29 Feb 2024 13:40:23 -0500
Subject: [PATCH 02/18] trimmed_amounts: add fuzz tests for left inverse and
 saturating add

---
 evm/test/TrimmedAmount.t.sol | 49 ++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index f9a1882c8..bf04ceca9 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -218,4 +218,53 @@ contract TrimmingTest is Test {
 
         assertEq(expectedIsLt, isLt);
     }
+
+    // invariant: forall (x: uint256, y: uint8, z: uint8),
+    //            (x <= type(uint64).max, y <= z)
+    //                    => (x.trim(x, 8).untrim(y) == x)
+    function testFuzz_trimIsLeftInverse(
+        uint256 amount,
+        uint8 fromDecimals,
+        uint8 toDecimals
+    ) public {
+        // this is guaranteed by trimming
+        uint256 amt = bound(amount, 1, type(uint64).max);
+        vm.assume(fromDecimals <= 18);
+        vm.assume(toDecimals <= 18);
+
+        // trimming
+        uint8 initialDecimals = 0;
+        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amt), initialDecimals);
+
+        // trimming is left inverse of trimming
+        uint256 amountUntrimmed = trimmedAmount.untrim(fromDecimals);
+        TrimmedAmount memory amountRoundTrip = amountUntrimmed.trim(fromDecimals, initialDecimals);
+
+        assertEq(trimmedAmount.amount, amountRoundTrip.amount);
+    }
+
+    // invariant: forall (TrimmedAmount a, TrimmedAmount b) a.saturatingAdd(b).amount <= type(uint64).max
+    function testFuzz_saturatingAddDoesNotOverflow(
+        TrimmedAmount memory a,
+        TrimmedAmount memory b
+    ) public {
+        vm.assume(a.decimals == b.decimals);
+
+        // this is guaranteed by trimming
+        a.amount = uint64(bound(a.amount, 0, type(uint64).max));
+        a.decimals = uint8(bound(a.decimals, 0, 8));
+
+        b.amount = uint64(bound(b.amount, 0, type(uint64).max));
+        b.decimals = uint8(bound(b.decimals, 0, 8));
+
+        TrimmedAmount memory c = a.saturatingAdd(b);
+
+        // decimals should always be the same, else revert
+        assertEq(c.decimals, a.decimals);
+
+        // amount should never overflow
+        assertLe(c.amount, type(uint64).max);
+        // amount should never underflow
+        assertGe(c.amount, 0);
+    }
 }

From 42fe1a4add77864fedf83f742763bec3442a1d2d Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 29 Feb 2024 14:16:59 -0500
Subject: [PATCH 03/18] trimmed_amount: add more fuzz tests

---
 evm/test/TrimmedAmount.t.sol | 59 ++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index bf04ceca9..1069ce16e 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -243,6 +243,8 @@ contract TrimmingTest is Test {
         assertEq(trimmedAmount.amount, amountRoundTrip.amount);
     }
 
+    // FUZZ TESTS
+
     // invariant: forall (TrimmedAmount a, TrimmedAmount b) a.saturatingAdd(b).amount <= type(uint64).max
     function testFuzz_saturatingAddDoesNotOverflow(
         TrimmedAmount memory a,
@@ -267,4 +269,61 @@ contract TrimmingTest is Test {
         // amount should never underflow
         assertGe(c.amount, 0);
     }
+
+    // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
+    // or trimmed to the number of decimals on the recipient chain.
+    // this tests for inputs with decimals > TRIMMED_DECIMALS
+    function testFuzz_SubOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
+        uint8 decimals = uint8(bound(decimals, 8, 18));
+        uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
+        vm.assume(amt < maxAmt);
+
+        uint256 amount = amt * (10 ** decimals);
+        uint256 amountOther = 0;
+        TrimmedAmount memory trimmedAmount = amount.trim(decimals, 8);
+        TrimmedAmount memory trimmedAmountOther = amountOther.trim(decimals, 8);
+
+        TrimmedAmount memory trimmedSub = trimmedAmount.sub(trimmedAmountOther);
+
+        TrimmedAmount memory expectedTrimmedSub = TrimmedAmount(uint64(amt * (10 ** 8)), 8);
+        assert(expectedTrimmedSub.eq(trimmedSub));
+    }
+
+    function testFuzz_SubOperatorWillOverflow(
+        uint8 decimals,
+        uint256 amtLeft,
+        uint256 amtRight
+    ) public {
+        uint8 decimals = uint8(bound(decimals, 8, 18));
+        uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
+        vm.assume(amtRight < maxAmt);
+        vm.assume(amtLeft < amtRight);
+
+        uint256 amountLeft = amtLeft * (10 ** decimals);
+        uint256 amountRight = amtRight * (10 ** decimals);
+        TrimmedAmount memory trimmedAmount = amountLeft.trim(decimals, 8);
+        TrimmedAmount memory trimmedAmountOther = amountRight.trim(decimals, 8);
+
+        vm.expectRevert();
+        trimmedAmount.sub(trimmedAmountOther);
+    }
+
+    // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
+    // or trimmed to the number of decimals on the recipient chain.
+    // this tests for inputs with decimals > TRIMMED_DECIMALS
+    function testFuzz_AddOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
+        uint8 decimals = uint8(bound(decimals, 8, 18));
+        uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
+        vm.assume(amt < maxAmt);
+
+        uint256 amount = amt * (10 ** decimals);
+        uint256 amountOther = 0;
+        TrimmedAmount memory trimmedAmount = amount.trim(decimals, 8);
+        TrimmedAmount memory trimmedAmountOther = amountOther.trim(decimals, 8);
+
+        TrimmedAmount memory trimmedSum = trimmedAmount.add(trimmedAmountOther);
+
+        TrimmedAmount memory expectedTrimmedSum = TrimmedAmount(uint64(amt * (10 ** 8)), 8);
+        assert(expectedTrimmedSum.eq(trimmedSum));
+    }
 }

From 2c96268cf79bf4b63b416b95ff3506ad0c9d004f Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 29 Feb 2024 17:14:11 -0500
Subject: [PATCH 04/18] ntt_manager: add fuzz test for countSetBits

---
 evm/test/NttManager.t.sol | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/evm/test/NttManager.t.sol b/evm/test/NttManager.t.sol
index a2aa42808..9afd2edae 100644
--- a/evm/test/NttManager.t.sol
+++ b/evm/test/NttManager.t.sol
@@ -72,12 +72,20 @@ contract TestNttManager is Test, IRateLimiterEvents {
 
     // === pure unit tests
 
-    function test_countSetBits() public {
-        assertEq(countSetBits(5), 2);
-        assertEq(countSetBits(0), 0);
-        assertEq(countSetBits(15), 4);
-        assertEq(countSetBits(16), 1);
-        assertEq(countSetBits(65535), 16);
+    // naive implementation of countSetBits to test against
+    function simpleCount(uint64 n) public returns (uint8) {
+        uint8 count;
+
+        while (n > 0) {
+            count += uint8(n & 1);
+            n >>= 1;
+        }
+
+        return count;
+    }
+
+    function testFuzz_countSetBits(uint64 n) public {
+        assertEq(simpleCount(n), countSetBits(n));
     }
 
     // === Deployments with rate limiter disabled

From 7151aa4c300357ff693126628d8d32a4450863ae Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 29 Feb 2024 17:33:45 -0500
Subject: [PATCH 05/18] rate_limit: add fuzz test for inbound rate limiting

---
 evm/test/RateLimit.t.sol | 238 ++++++++++++++++++++++++++++-----------
 1 file changed, 174 insertions(+), 64 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index 12f6428d5..b94bbcc4a 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -444,70 +444,6 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         nttManager.completeOutboundQueuedTransfer(0);
     }
 
-    function testFuzz_outboundRateLimitShouldQueue(uint256 limitAmt, uint256 transferAmt) public {
-        // setup
-        address user_A = address(0x123);
-        address user_B = address(0x456);
-        DummyToken token = DummyToken(nttManager.token());
-        uint8 decimals = token.decimals();
-
-        // inputs
-        uint256 totalAmt = (type(uint64).max) / (10 ** decimals);
-        // avoids the ZeroAmount() error
-        // cannot transfer more than what's available
-        vm.assume(transferAmt > 0 && transferAmt <= totalAmt);
-        // this ensures that the transfer is always queued up
-        vm.assume(limitAmt < transferAmt);
-
-        // mint
-        token.mintDummy(address(user_A), totalAmt * (10 ** decimals));
-        uint256 outboundLimit = limitAmt * (10 ** decimals);
-        nttManager.setOutboundLimit(outboundLimit);
-
-        vm.startPrank(user_A);
-
-        // initiate transfer
-        uint256 transferAmount = transferAmt * (10 ** decimals);
-        token.approve(address(nttManager), transferAmount);
-
-        // shouldQueue == true
-        uint64 qSeq = nttManager.transfer(
-            transferAmount, chainId, toWormholeFormat(user_B), true, new bytes(1)
-        );
-
-        // assert that the transfer got queued up
-        assertEq(qSeq, 0);
-        IRateLimiter.OutboundQueuedTransfer memory qt = nttManager.getOutboundQueuedTransfer(0);
-        assertEq(qt.amount.getAmount(), transferAmount.trim(decimals, decimals).getAmount());
-        assertEq(qt.recipientChain, chainId);
-        assertEq(qt.recipient, toWormholeFormat(user_B));
-        assertEq(qt.txTimestamp, initialBlockTimestamp);
-
-        // assert that the contract also locked funds from the user
-        assertEq(token.balanceOf(address(user_A)), totalAmt * (10 ** decimals) - transferAmount);
-        assertEq(token.balanceOf(address(nttManager)), transferAmount);
-
-        // elapse rate limit duration - 1
-        uint256 durationElapsedTime = initialBlockTimestamp + nttManager.rateLimitDuration();
-        vm.warp(durationElapsedTime - 1);
-
-        // assert that transfer still can't be completed
-        bytes4 stillQueuedSelector =
-            bytes4(keccak256("OutboundQueuedTransferStillQueued(uint64,uint256)"));
-        vm.expectRevert(abi.encodeWithSelector(stillQueuedSelector, 0, initialBlockTimestamp));
-        nttManager.completeOutboundQueuedTransfer(0);
-
-        // now complete transfer
-        vm.warp(durationElapsedTime);
-        uint64 seq = nttManager.completeOutboundQueuedTransfer(0);
-        assertEq(seq, 0);
-
-        // now ensure transfer was removed from queue
-        bytes4 notFoundSelector = bytes4(keccak256("OutboundQueuedTransferNotFound(uint64)"));
-        vm.expectRevert(abi.encodeWithSelector(notFoundSelector, 0));
-        nttManager.completeOutboundQueuedTransfer(0);
-    }
-
     function test_inboundRateLimit_simple() public {
         address user_B = address(0x456);
 
@@ -767,4 +703,178 @@ contract TestRateLimit is Test, IRateLimiterEvents {
             assertEq(inboundLimitParams.lastTxTimestamp, sendAgainTime);
         }
     }
+
+    function testFuzz_outboundRateLimitShouldQueue(uint256 limitAmt, uint256 transferAmt) public {
+        // setup
+        address user_A = address(0x123);
+        address user_B = address(0x456);
+        DummyToken token = DummyToken(nttManager.token());
+        uint8 decimals = token.decimals();
+
+        // inputs
+        uint256 totalAmt = (type(uint64).max) / (10 ** decimals);
+        // avoids the ZeroAmount() error
+        // cannot transfer more than what's available
+        vm.assume(transferAmt > 0 && transferAmt <= totalAmt);
+        // this ensures that the transfer is always queued up
+        vm.assume(limitAmt < transferAmt);
+
+        // mint
+        token.mintDummy(address(user_A), totalAmt * (10 ** decimals));
+        uint256 outboundLimit = limitAmt * (10 ** decimals);
+        nttManager.setOutboundLimit(outboundLimit);
+
+        vm.startPrank(user_A);
+
+        // initiate transfer
+        uint256 transferAmount = transferAmt * (10 ** decimals);
+        token.approve(address(nttManager), transferAmount);
+
+        // shouldQueue == true
+        uint64 qSeq = nttManager.transfer(
+            transferAmount, chainId, toWormholeFormat(user_B), true, new bytes(1)
+        );
+
+        // assert that the transfer got queued up
+        assertEq(qSeq, 0);
+        IRateLimiter.OutboundQueuedTransfer memory qt = nttManager.getOutboundQueuedTransfer(0);
+        assertEq(qt.amount.getAmount(), transferAmount.trim(decimals, decimals).getAmount());
+        assertEq(qt.recipientChain, chainId);
+        assertEq(qt.recipient, toWormholeFormat(user_B));
+        assertEq(qt.txTimestamp, initialBlockTimestamp);
+
+        // assert that the contract also locked funds from the user
+        assertEq(token.balanceOf(address(user_A)), totalAmt * (10 ** decimals) - transferAmount);
+        assertEq(token.balanceOf(address(nttManager)), transferAmount);
+
+        // elapse rate limit duration - 1
+        uint256 durationElapsedTime = initialBlockTimestamp + nttManager.rateLimitDuration();
+        vm.warp(durationElapsedTime - 1);
+
+        // assert that transfer still can't be completed
+        bytes4 stillQueuedSelector =
+            bytes4(keccak256("OutboundQueuedTransferStillQueued(uint64,uint256)"));
+        vm.expectRevert(abi.encodeWithSelector(stillQueuedSelector, 0, initialBlockTimestamp));
+        nttManager.completeOutboundQueuedTransfer(0);
+
+        // now complete transfer
+        vm.warp(durationElapsedTime);
+        uint64 seq = nttManager.completeOutboundQueuedTransfer(0);
+        assertEq(seq, 0);
+
+        // now ensure transfer was removed from queue
+        bytes4 notFoundSelector = bytes4(keccak256("OutboundQueuedTransferNotFound(uint64)"));
+        vm.expectRevert(abi.encodeWithSelector(notFoundSelector, 0));
+        nttManager.completeOutboundQueuedTransfer(0);
+    }
+
+    function testFuzz_inboundRateLimitShouldQueue(uint256 inboundLimitAmt, uint256 amount) public {
+        vm.assume(amount > 0 && amount <= type(uint64).max);
+        vm.assume(inboundLimitAmt < amount);
+
+        address user_B = address(0x456);
+
+        (DummyTransceiver e1, DummyTransceiver e2) =
+            TransceiverHelpersLib.setup_transceivers(nttManager);
+
+        DummyToken token = DummyToken(nttManager.token());
+
+        ITransceiverReceiver[] memory transceivers = new ITransceiverReceiver[](1);
+        transceivers[0] = e1;
+
+        TransceiverStructs.NttManagerMessage memory m;
+        bytes memory encodedEm;
+        uint256 inboundLimit = inboundLimitAmt;
+        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amount), 8);
+        {
+            TransceiverStructs.TransceiverMessage memory em;
+            (m, em) = TransceiverHelpersLib.attestTransceiversHelper(
+                user_B,
+                0,
+                chainId,
+                nttManager,
+                nttManager,
+                trimmedAmount,
+                // TrimmedAmount(50, 8),
+                inboundLimit.trim(token.decimals(), token.decimals()),
+                transceivers
+            );
+            encodedEm = TransceiverStructs.encodeTransceiverMessage(
+                TransceiverHelpersLib.TEST_TRANSCEIVER_PAYLOAD_PREFIX, em
+            );
+        }
+
+        bytes32 digest =
+            TransceiverStructs.nttManagerMessageDigest(TransceiverHelpersLib.SENDING_CHAIN_ID, m);
+
+        // no quorum yet
+        assertEq(token.balanceOf(address(user_B)), 0);
+
+        vm.expectEmit(address(nttManager));
+        emit InboundTransferQueued(digest);
+        e2.receiveMessage(encodedEm);
+
+        {
+            // now we have quorum but it'll hit limit
+            IRateLimiter.InboundQueuedTransfer memory qt =
+                nttManager.getInboundQueuedTransfer(digest);
+            assertEq(qt.amount.getAmount(), trimmedAmount.getAmount());
+            assertEq(qt.txTimestamp, initialBlockTimestamp);
+            assertEq(qt.recipient, user_B);
+        }
+
+        // assert that the user doesn't have funds yet
+        assertEq(token.balanceOf(address(user_B)), 0);
+
+        // change block time to (duration - 1) seconds later
+        uint256 durationElapsedTime = initialBlockTimestamp + nttManager.rateLimitDuration();
+        vm.warp(durationElapsedTime - 1);
+
+        {
+            // assert that transfer still can't be completed
+            bytes4 stillQueuedSelector =
+                bytes4(keccak256("InboundQueuedTransferStillQueued(bytes32,uint256)"));
+            vm.expectRevert(
+                abi.encodeWithSelector(stillQueuedSelector, digest, initialBlockTimestamp)
+            );
+            nttManager.completeInboundQueuedTransfer(digest);
+        }
+
+        // now complete transfer
+        vm.warp(durationElapsedTime);
+        nttManager.completeInboundQueuedTransfer(digest);
+
+        {
+            // assert transfer no longer in queue
+            bytes4 notQueuedSelector = bytes4(keccak256("InboundQueuedTransferNotFound(bytes32)"));
+            vm.expectRevert(abi.encodeWithSelector(notQueuedSelector, digest));
+            nttManager.completeInboundQueuedTransfer(digest);
+        }
+
+        // assert user now has funds
+        assertEq(
+            token.balanceOf(address(user_B)),
+            trimmedAmount.getAmount() * 10 ** (token.decimals() - 8)
+        );
+
+        // replay protection on executeMsg
+        vm.recordLogs();
+        nttManager.executeMsg(
+            TransceiverHelpersLib.SENDING_CHAIN_ID, toWormholeFormat(address(nttManager)), m
+        );
+
+        {
+            Vm.Log[] memory entries = vm.getRecordedLogs();
+            assertEq(entries.length, 1);
+            assertEq(entries[0].topics.length, 3);
+            assertEq(entries[0].topics[0], keccak256("MessageAlreadyExecuted(bytes32,bytes32)"));
+            assertEq(entries[0].topics[1], toWormholeFormat(address(nttManager)));
+            assertEq(
+                entries[0].topics[2],
+                TransceiverStructs.nttManagerMessageDigest(
+                    TransceiverHelpersLib.SENDING_CHAIN_ID, m
+                )
+            );
+        }
+    }
 }

From 4e1ff5ffc963899fc467ff0fa924112778d24896 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Fri, 1 Mar 2024 12:07:25 -0500
Subject: [PATCH 06/18] rate_limit: add fuzz test for backflow

---
 evm/test/RateLimit.t.sol | 150 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 148 insertions(+), 2 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index b94bbcc4a..6ea459a50 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -603,6 +603,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         TrimmedAmount transferAmount = packTrimmedAmount(10, 8);
         token.approve(address(nttManager), type(uint256).max);
+        // transfer 10 tokens from user_A -> user_B via the nttManager
         nttManager.transfer(
             transferAmount.untrim(decimals), chainId, toWormholeFormat(user_B), false, new bytes(1)
         );
@@ -614,7 +615,8 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         assertEq(token.balanceOf(user_A), (mintAmount - (transferAmount)).untrim(decimals));
 
         {
-            // assert outbound rate limit decreased
+            // consumed capacity on the outbound side
+            // assert outbound capacity decreased
             IRateLimiter.RateLimitParams memory outboundLimitParams =
                 nttManager.getOutboundLimitParams();
             assertEq(
@@ -644,7 +646,151 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         assertEq(token.balanceOf(user_A), mintAmount.untrim(decimals));
 
         {
-            // assert that the inbound limits decreased
+            // consume capacity on the inbound side
+            // assert that the inbound capacity decreased
+            IRateLimiter.RateLimitParams memory inboundLimitParams =
+                nttManager.getInboundLimitParams(TransceiverHelpersLib.SENDING_CHAIN_ID);
+            assertEq(
+                inboundLimitParams.currentCapacity.getAmount(),
+                inboundLimitParams.limit.sub(transferAmount).getAmount()
+            );
+            assertEq(inboundLimitParams.lastTxTimestamp, receiveTime);
+        }
+
+        {
+            // assert that outbound limit is at max again (because of backflow)
+            IRateLimiter.RateLimitParams memory outboundLimitParams =
+                nttManager.getOutboundLimitParams();
+            assertEq(
+                outboundLimitParams.currentCapacity.getAmount(),
+                outboundLimitParams.limit.getAmount()
+            );
+            assertEq(outboundLimitParams.lastTxTimestamp, receiveTime);
+        }
+
+        // go 1 second into the future
+        uint256 sendAgainTime = receiveTime + 1;
+        vm.warp(sendAgainTime);
+
+        // transfer 10 back to the contract
+        vm.startPrank(user_A);
+
+        nttManager.transfer(
+            transferAmount.untrim(decimals),
+            TransceiverHelpersLib.SENDING_CHAIN_ID,
+            toWormholeFormat(user_B),
+            false,
+            new bytes(1)
+        );
+
+        vm.stopPrank();
+
+        {
+            // assert outbound rate limit decreased
+            IRateLimiter.RateLimitParams memory outboundLimitParams =
+                nttManager.getOutboundLimitParams();
+            assertEq(
+                outboundLimitParams.currentCapacity.getAmount(),
+                outboundLimitParams.limit.sub(transferAmount).getAmount()
+            );
+            assertEq(outboundLimitParams.lastTxTimestamp, sendAgainTime);
+        }
+
+        {
+            // assert that the inbound limit is at max again (because of backflow)
+            IRateLimiter.RateLimitParams memory inboundLimitParams =
+                nttManager.getInboundLimitParams(TransceiverHelpersLib.SENDING_CHAIN_ID);
+            assertEq(
+                inboundLimitParams.currentCapacity.getAmount(), inboundLimitParams.limit.getAmount()
+            );
+            assertEq(inboundLimitParams.lastTxTimestamp, sendAgainTime);
+        }
+    }
+
+    // helper functions
+    function setupToken() public returns (address, address, DummyToken, uint8) {
+        address user_A = address(0x123);
+        address user_B = address(0x456);
+
+        DummyToken token = DummyToken(nttManager.token());
+
+        uint8 decimals = token.decimals();
+        assertEq(decimals, 18);
+
+        return (user_A, user_B, token, decimals);
+    }
+
+    function initializeTransceivers() public returns (ITransceiverReceiver[] memory) {
+        (DummyTransceiver e1, DummyTransceiver e2) =
+            TransceiverHelpersLib.setup_transceivers(nttManager);
+
+        ITransceiverReceiver[] memory transceivers = new ITransceiverReceiver[](2);
+        transceivers[0] = e1;
+        transceivers[1] = e2;
+
+        return transceivers;
+    }
+
+    // transfer tokens from user_A to user_B
+    // this consumes capacity on the outbound side
+    // send tokens from user_B to user_A
+    // this consumes capacity on the inbound side
+    // send tokens from user_A to user_B
+    // this should consume capacity on the outbound side
+    // and backfill the inbound side
+    function testFuzz_CircularFlowBackFilling(uint64 mintAmt, uint64 transferAmt) public {
+        vm.assume(transferAmt > 0 && transferAmt < mintAmt);
+
+        (address user_A, address user_B, DummyToken token, uint8 decimals) = setupToken();
+
+        TrimmedAmount memory mintAmount = TrimmedAmount(mintAmt, 8);
+        token.mintDummy(address(user_A), mintAmount.untrim(decimals));
+        nttManager.setOutboundLimit(mintAmount.untrim(decimals));
+
+        // transfer 10 tokens
+        vm.startPrank(user_A);
+
+        TrimmedAmount memory transferAmount = TrimmedAmount(transferAmt, 8);
+        token.approve(address(nttManager), type(uint256).max);
+        // transfer tokens from user_A -> user_B via the nttManager
+        nttManager.transfer(
+            transferAmount.untrim(decimals), chainId, toWormholeFormat(user_B), false, new bytes(1)
+        );
+
+        vm.stopPrank();
+
+        // assert nttManager has 10 tokens and user_A has 10 fewer tokens
+        assertEq(token.balanceOf(address(nttManager)), transferAmount.untrim(decimals));
+        assertEq(token.balanceOf(user_A), mintAmount.sub(transferAmount).untrim(decimals));
+
+        {
+            // consumed capacity on the outbound side
+            // assert outbound capacity decreased
+            IRateLimiter.RateLimitParams memory outboundLimitParams =
+                nttManager.getOutboundLimitParams();
+            assertEq(
+                outboundLimitParams.currentCapacity.getAmount(),
+                outboundLimitParams.limit.sub(transferAmount).getAmount()
+            );
+            assertEq(outboundLimitParams.lastTxTimestamp, initialBlockTimestamp);
+        }
+
+        // go 1 second into the future
+        uint256 receiveTime = initialBlockTimestamp + 1;
+        vm.warp(receiveTime);
+
+        ITransceiverReceiver[] memory transceivers = initializeTransceivers();
+        // now receive tokens from user_B -> user_A
+        TransceiverHelpersLib.attestTransceiversHelper(
+            user_A, 0, chainId, nttManager, nttManager, transferAmount, mintAmount, transceivers
+        );
+
+        // assert that user_A has original amount
+        assertEq(token.balanceOf(user_A), mintAmount.untrim(decimals));
+
+        {
+            // consume capacity on the inbound side
+            // assert that the inbound capacity decreased
             IRateLimiter.RateLimitParams memory inboundLimitParams =
                 nttManager.getInboundLimitParams(TransceiverHelpersLib.SENDING_CHAIN_ID);
             assertEq(

From ff5842021f9a0409ffc70f2d7f8b199288f0389f Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Mon, 4 Mar 2024 09:50:07 -0500
Subject: [PATCH 07/18] fix: use bound instead of assume for uints

---
 evm/test/RateLimit.t.sol | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index 6ea459a50..e55681c95 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -739,7 +739,8 @@ contract TestRateLimit is Test, IRateLimiterEvents {
     // this should consume capacity on the outbound side
     // and backfill the inbound side
     function testFuzz_CircularFlowBackFilling(uint64 mintAmt, uint64 transferAmt) public {
-        vm.assume(transferAmt > 0 && transferAmt < mintAmt);
+        mintAmt = uint64(bound(mintAmt, 2, type(uint64).max));
+        transferAmt = uint64(bound(transferAmt, 1, mintAmt - 1));
 
         (address user_A, address user_B, DummyToken token, uint8 decimals) = setupToken();
 

From 23320d12bc66c532e517610eac41ebcc36a6e389 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Mon, 4 Mar 2024 10:05:28 -0500
Subject: [PATCH 08/18] evm: remove unnecessary bounds in fuzz test for
 saturatingAdd

---
 evm/test/TrimmedAmount.t.sol | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 1069ce16e..82e199a8c 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -245,20 +245,14 @@ contract TrimmingTest is Test {
 
     // FUZZ TESTS
 
-    // invariant: forall (TrimmedAmount a, TrimmedAmount b) a.saturatingAdd(b).amount <= type(uint64).max
+    // invariant: forall (TrimmedAmount a, TrimmedAmount b)
+    //            a.saturatingAdd(b).amount <= type(uint64).max
     function testFuzz_saturatingAddDoesNotOverflow(
         TrimmedAmount memory a,
         TrimmedAmount memory b
     ) public {
         vm.assume(a.decimals == b.decimals);
 
-        // this is guaranteed by trimming
-        a.amount = uint64(bound(a.amount, 0, type(uint64).max));
-        a.decimals = uint8(bound(a.decimals, 0, 8));
-
-        b.amount = uint64(bound(b.amount, 0, type(uint64).max));
-        b.decimals = uint8(bound(b.decimals, 0, 8));
-
         TrimmedAmount memory c = a.saturatingAdd(b);
 
         // decimals should always be the same, else revert
@@ -273,8 +267,8 @@ contract TrimmingTest is Test {
     // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
     // or trimmed to the number of decimals on the recipient chain.
     // this tests for inputs with decimals > TRIMMED_DECIMALS
-    function testFuzz_SubOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
-        uint8 decimals = uint8(bound(decimals, 8, 18));
+    function testFuzz_SubOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public pure {
+        decimals = uint8(bound(decimals, 8, 18));
         uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
         vm.assume(amt < maxAmt);
 
@@ -294,7 +288,7 @@ contract TrimmingTest is Test {
         uint256 amtLeft,
         uint256 amtRight
     ) public {
-        uint8 decimals = uint8(bound(decimals, 8, 18));
+        decimals = uint8(bound(decimals, 8, 18));
         uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
         vm.assume(amtRight < maxAmt);
         vm.assume(amtLeft < amtRight);
@@ -311,8 +305,8 @@ contract TrimmingTest is Test {
     // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
     // or trimmed to the number of decimals on the recipient chain.
     // this tests for inputs with decimals > TRIMMED_DECIMALS
-    function testFuzz_AddOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
-        uint8 decimals = uint8(bound(decimals, 8, 18));
+    function testFuzz_AddOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public pure {
+        decimals = uint8(bound(decimals, 8, 18));
         uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
         vm.assume(amt < maxAmt);
 

From c00fa66b215d02f75ec380cc77d552e4f5c077f7 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Mon, 4 Mar 2024 11:10:12 -0500
Subject: [PATCH 09/18] evm: change the inputs to the circular backflow tests
 to uint256

---
 evm/test/RateLimit.t.sol | 43 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index e55681c95..7d9254805 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -738,8 +738,8 @@ contract TestRateLimit is Test, IRateLimiterEvents {
     // send tokens from user_A to user_B
     // this should consume capacity on the outbound side
     // and backfill the inbound side
-    function testFuzz_CircularFlowBackFilling(uint64 mintAmt, uint64 transferAmt) public {
-        mintAmt = uint64(bound(mintAmt, 2, type(uint64).max));
+    function testFuzz_CircularFlowBackFilling(uint64 mintAmt, uint256 transferAmt) public {
+        mintAmt = uint64(bound(mintAmt, 2, type(uint256).max));
         transferAmt = uint64(bound(transferAmt, 1, mintAmt - 1));
 
         (address user_A, address user_B, DummyToken token, uint8 decimals) = setupToken();
@@ -751,8 +751,45 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         // transfer 10 tokens
         vm.startPrank(user_A);
 
-        TrimmedAmount memory transferAmount = TrimmedAmount(transferAmt, 8);
+        // TrimmedAmount memory transferAmount = TrimmedAmount(transferAmt, 8);
         token.approve(address(nttManager), type(uint256).max);
+
+        // TODO: also fuzz the fromDecimals?
+
+        // allow for amounts greater than uint64 to check if [`transfer`] reverts
+        // on amounts greater than u64 MAX.
+        TrimmedAmount memory transferAmount = transferAmt.trim(decimals, 8);
+
+        // check error conditions
+        if (transferAmount.amount == 0) {
+            vm.expectRevert();
+            // transfer tokens from user_A -> user_B via the nttManager
+            nttManager.transfer(
+                transferAmount.untrim(decimals),
+                chainId,
+                toWormholeFormat(user_B),
+                false,
+                new bytes(1)
+            );
+
+            return;
+        }
+
+        if (transferAmount.amount > type(uint64).max) {
+            bytes4 selector = bytes4(keccak256("AmountTooLarge(uint256)"));
+            vm.expectRevert(abi.encodeWithSelector(selector, transferAmt));
+
+            nttManager.transfer(
+                transferAmount.untrim(decimals),
+                chainId,
+                toWormholeFormat(user_B),
+                false,
+                new bytes(1)
+            );
+
+            return;
+        }
+
         // transfer tokens from user_A -> user_B via the nttManager
         nttManager.transfer(
             transferAmount.untrim(decimals), chainId, toWormholeFormat(user_B), false, new bytes(1)

From 9f1cd4b2778f2296776171b02becec4614e9e6e1 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Mon, 4 Mar 2024 12:11:39 -0500
Subject: [PATCH 10/18] evm: modify trimming is left inverse to support more
 decimals

---
 evm/test/TrimmedAmount.t.sol | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 82e199a8c..63b9b996c 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -227,18 +227,19 @@ contract TrimmingTest is Test {
         uint8 fromDecimals,
         uint8 toDecimals
     ) public {
-        // this is guaranteed by trimming
         uint256 amt = bound(amount, 1, type(uint64).max);
-        vm.assume(fromDecimals <= 18);
-        vm.assume(toDecimals <= 18);
+        vm.assume(fromDecimals <= 50);
+        vm.assume(toDecimals <= 50);
 
-        // trimming
-        uint8 initialDecimals = 0;
-        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amt), initialDecimals);
+        // NOTE: this is guaranteeed by trimming
+        vm.assume(fromDecimals <= 8 && fromDecimals <= toDecimals);
+
+        // initialize TrimmedAmount
+        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amt), fromDecimals);
 
         // trimming is left inverse of trimming
-        uint256 amountUntrimmed = trimmedAmount.untrim(fromDecimals);
-        TrimmedAmount memory amountRoundTrip = amountUntrimmed.trim(fromDecimals, initialDecimals);
+        uint256 amountUntrimmed = trimmedAmount.untrim(toDecimals);
+        TrimmedAmount memory amountRoundTrip = amountUntrimmed.trim(toDecimals, fromDecimals);
 
         assertEq(trimmedAmount.amount, amountRoundTrip.amount);
     }

From 4db46511ab1039e84d29cfcb472846a1bfb6d213 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Tue, 12 Mar 2024 10:25:00 -0400
Subject: [PATCH 11/18] evm: rebasing changes

---
 evm/test/NttManager.t.sol    |  2 +-
 evm/test/RateLimit.t.sol     | 19 +++++-----
 evm/test/TrimmedAmount.t.sol | 73 ++++++++++++++++++------------------
 3 files changed, 47 insertions(+), 47 deletions(-)

diff --git a/evm/test/NttManager.t.sol b/evm/test/NttManager.t.sol
index 9afd2edae..37aeb30da 100644
--- a/evm/test/NttManager.t.sol
+++ b/evm/test/NttManager.t.sol
@@ -73,7 +73,7 @@ contract TestNttManager is Test, IRateLimiterEvents {
     // === pure unit tests
 
     // naive implementation of countSetBits to test against
-    function simpleCount(uint64 n) public returns (uint8) {
+    function simpleCount(uint64 n) public pure returns (uint8) {
         uint8 count;
 
         while (n > 0) {
diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index 7d9254805..b13d7aba5 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -652,7 +652,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
                 nttManager.getInboundLimitParams(TransceiverHelpersLib.SENDING_CHAIN_ID);
             assertEq(
                 inboundLimitParams.currentCapacity.getAmount(),
-                inboundLimitParams.limit.sub(transferAmount).getAmount()
+                (inboundLimitParams.limit - transferAmount).getAmount()
             );
             assertEq(inboundLimitParams.lastTxTimestamp, receiveTime);
         }
@@ -691,7 +691,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
                 nttManager.getOutboundLimitParams();
             assertEq(
                 outboundLimitParams.currentCapacity.getAmount(),
-                outboundLimitParams.limit.sub(transferAmount).getAmount()
+                (outboundLimitParams.limit - transferAmount).getAmount()
             );
             assertEq(outboundLimitParams.lastTxTimestamp, sendAgainTime);
         }
@@ -744,7 +744,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         (address user_A, address user_B, DummyToken token, uint8 decimals) = setupToken();
 
-        TrimmedAmount memory mintAmount = TrimmedAmount(mintAmt, 8);
+        TrimmedAmount mintAmount = packTrimmedAmount(mintAmt, 8);
         token.mintDummy(address(user_A), mintAmount.untrim(decimals));
         nttManager.setOutboundLimit(mintAmount.untrim(decimals));
 
@@ -758,10 +758,10 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         // allow for amounts greater than uint64 to check if [`transfer`] reverts
         // on amounts greater than u64 MAX.
-        TrimmedAmount memory transferAmount = transferAmt.trim(decimals, 8);
+        TrimmedAmount transferAmount = transferAmt.trim(decimals, 8);
 
         // check error conditions
-        if (transferAmount.amount == 0) {
+        if (transferAmount.getAmount() == 0) {
             vm.expectRevert();
             // transfer tokens from user_A -> user_B via the nttManager
             nttManager.transfer(
@@ -775,7 +775,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
             return;
         }
 
-        if (transferAmount.amount > type(uint64).max) {
+        if (transferAmount.getAmount() > type(uint64).max) {
             bytes4 selector = bytes4(keccak256("AmountTooLarge(uint256)"));
             vm.expectRevert(abi.encodeWithSelector(selector, transferAmt));
 
@@ -799,7 +799,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         // assert nttManager has 10 tokens and user_A has 10 fewer tokens
         assertEq(token.balanceOf(address(nttManager)), transferAmount.untrim(decimals));
-        assertEq(token.balanceOf(user_A), mintAmount.sub(transferAmount).untrim(decimals));
+        assertEq(token.balanceOf(user_A), (mintAmount - transferAmount).untrim(decimals));
 
         {
             // consumed capacity on the outbound side
@@ -808,7 +808,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
                 nttManager.getOutboundLimitParams();
             assertEq(
                 outboundLimitParams.currentCapacity.getAmount(),
-                outboundLimitParams.limit.sub(transferAmount).getAmount()
+                (outboundLimitParams.limit - transferAmount).getAmount()
             );
             assertEq(outboundLimitParams.lastTxTimestamp, initialBlockTimestamp);
         }
@@ -969,7 +969,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         TransceiverStructs.NttManagerMessage memory m;
         bytes memory encodedEm;
         uint256 inboundLimit = inboundLimitAmt;
-        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amount), 8);
+        TrimmedAmount trimmedAmount = packTrimmedAmount(uint64(amount), 8);
         {
             TransceiverStructs.TransceiverMessage memory em;
             (m, em) = TransceiverHelpersLib.attestTransceiversHelper(
@@ -979,7 +979,6 @@ contract TestRateLimit is Test, IRateLimiterEvents {
                 nttManager,
                 nttManager,
                 trimmedAmount,
-                // TrimmedAmount(50, 8),
                 inboundLimit.trim(token.decimals(), token.decimals()),
                 transceivers
             );
diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 63b9b996c..1bc89a8e9 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -9,12 +9,6 @@ contract TrimmingTest is Test {
     using TrimmedAmountLib for uint256;
     using TrimmedAmountLib for TrimmedAmount;
 
-    function test_packUnpack(uint64 amount, uint8 decimals) public {
-        TrimmedAmount trimmed = packTrimmedAmount(amount, decimals);
-        assertEq(trimmed.getAmount(), amount);
-        assertEq(trimmed.getDecimals(), decimals);
-    }
-
     function testTrimmingRoundTrip() public {
         uint8 decimals = 18;
         uint256 amount = 50 * 10 ** decimals;
@@ -169,6 +163,14 @@ contract TrimmingTest is Test {
         assertEq(expectedRoundTrip, amountRoundTrip);
     }
 
+    // =============   FUZZ TESTS ================== //
+
+    function test_packUnpack(uint64 amount, uint8 decimals) public {
+        TrimmedAmount trimmed = packTrimmedAmount(amount, decimals);
+        assertEq(trimmed.getAmount(), amount);
+        assertEq(trimmed.getDecimals(), decimals);
+    }
+
     function testFuzz_AddOperatorOverload(TrimmedAmount a, TrimmedAmount b) public {
         vm.assume(a.getDecimals() == b.getDecimals());
 
@@ -235,53 +237,50 @@ contract TrimmingTest is Test {
         vm.assume(fromDecimals <= 8 && fromDecimals <= toDecimals);
 
         // initialize TrimmedAmount
-        TrimmedAmount memory trimmedAmount = TrimmedAmount(uint64(amt), fromDecimals);
+        TrimmedAmount trimmedAmount = packTrimmedAmount(uint64(amt), fromDecimals);
 
         // trimming is left inverse of trimming
         uint256 amountUntrimmed = trimmedAmount.untrim(toDecimals);
-        TrimmedAmount memory amountRoundTrip = amountUntrimmed.trim(toDecimals, fromDecimals);
+        TrimmedAmount amountRoundTrip = amountUntrimmed.trim(toDecimals, fromDecimals);
 
-        assertEq(trimmedAmount.amount, amountRoundTrip.amount);
+        assertEq(trimmedAmount.getAmount(), amountRoundTrip.getAmount());
     }
 
-    // FUZZ TESTS
-
     // invariant: forall (TrimmedAmount a, TrimmedAmount b)
     //            a.saturatingAdd(b).amount <= type(uint64).max
-    function testFuzz_saturatingAddDoesNotOverflow(
-        TrimmedAmount memory a,
-        TrimmedAmount memory b
-    ) public {
-        vm.assume(a.decimals == b.decimals);
+    function testFuzz_saturatingAddDoesNotOverflow(TrimmedAmount a, TrimmedAmount b) public {
+        vm.assume(a.getDecimals() == b.getDecimals());
 
-        TrimmedAmount memory c = a.saturatingAdd(b);
+        TrimmedAmount c = a.saturatingAdd(b);
 
         // decimals should always be the same, else revert
-        assertEq(c.decimals, a.decimals);
+        assertEq(c.getDecimals(), a.getDecimals());
 
         // amount should never overflow
-        assertLe(c.amount, type(uint64).max);
+        assertLe(c.getAmount(), type(uint64).max);
         // amount should never underflow
-        assertGe(c.amount, 0);
+        assertGe(c.getAmount(), 0);
     }
 
     // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
     // or trimmed to the number of decimals on the recipient chain.
     // this tests for inputs with decimals > TRIMMED_DECIMALS
-    function testFuzz_SubOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public pure {
+    function testFuzz_SubOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
         decimals = uint8(bound(decimals, 8, 18));
         uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
         vm.assume(amt < maxAmt);
 
         uint256 amount = amt * (10 ** decimals);
         uint256 amountOther = 0;
-        TrimmedAmount memory trimmedAmount = amount.trim(decimals, 8);
-        TrimmedAmount memory trimmedAmountOther = amountOther.trim(decimals, 8);
+        TrimmedAmount trimmedAmount = amount.trim(decimals, 8);
+        TrimmedAmount trimmedAmountOther = amountOther.trim(decimals, 8);
 
-        TrimmedAmount memory trimmedSub = trimmedAmount.sub(trimmedAmountOther);
+        TrimmedAmount trimmedSub = trimmedAmount - trimmedAmountOther;
 
-        TrimmedAmount memory expectedTrimmedSub = TrimmedAmount(uint64(amt * (10 ** 8)), 8);
-        assert(expectedTrimmedSub.eq(trimmedSub));
+        TrimmedAmount expectedTrimmedSub = packTrimmedAmount(uint64(amt * (10 ** 8)), 8);
+        assert(expectedTrimmedSub == trimmedSub);
+        assertEq(expectedTrimmedSub.getAmount(), trimmedSub.getAmount());
+        assertEq(expectedTrimmedSub.getDecimals(), trimmedSub.getDecimals());
     }
 
     function testFuzz_SubOperatorWillOverflow(
@@ -296,29 +295,31 @@ contract TrimmingTest is Test {
 
         uint256 amountLeft = amtLeft * (10 ** decimals);
         uint256 amountRight = amtRight * (10 ** decimals);
-        TrimmedAmount memory trimmedAmount = amountLeft.trim(decimals, 8);
-        TrimmedAmount memory trimmedAmountOther = amountRight.trim(decimals, 8);
+        TrimmedAmount trimmedAmount = amountLeft.trim(decimals, 8);
+        TrimmedAmount trimmedAmountOther = amountRight.trim(decimals, 8);
 
-        vm.expectRevert();
-        trimmedAmount.sub(trimmedAmountOther);
+        vm.expectRevert(stdError.arithmeticError);
+        trimmedAmount - trimmedAmountOther;
     }
 
     // NOTE: above the TRIMMED_DECIMALS threshold will always get trimmed to TRIMMED_DECIMALS
     // or trimmed to the number of decimals on the recipient chain.
     // this tests for inputs with decimals > TRIMMED_DECIMALS
-    function testFuzz_AddOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public pure {
+    function testFuzz_AddOperatorZeroAboveThreshold(uint256 amt, uint8 decimals) public {
         decimals = uint8(bound(decimals, 8, 18));
         uint256 maxAmt = (type(uint64).max) / (10 ** decimals);
         vm.assume(amt < maxAmt);
 
         uint256 amount = amt * (10 ** decimals);
         uint256 amountOther = 0;
-        TrimmedAmount memory trimmedAmount = amount.trim(decimals, 8);
-        TrimmedAmount memory trimmedAmountOther = amountOther.trim(decimals, 8);
+        TrimmedAmount trimmedAmount = amount.trim(decimals, 8);
+        TrimmedAmount trimmedAmountOther = amountOther.trim(decimals, 8);
 
-        TrimmedAmount memory trimmedSum = trimmedAmount.add(trimmedAmountOther);
+        TrimmedAmount trimmedSum = trimmedAmount + trimmedAmountOther;
 
-        TrimmedAmount memory expectedTrimmedSum = TrimmedAmount(uint64(amt * (10 ** 8)), 8);
-        assert(expectedTrimmedSum.eq(trimmedSum));
+        TrimmedAmount expectedTrimmedSum = packTrimmedAmount(uint64(amt * (10 ** 8)), 8);
+        assert(expectedTrimmedSum == trimmedSum);
+        assertEq(expectedTrimmedSum.getAmount(), trimmedSum.getAmount());
+        assertEq(expectedTrimmedSum.getDecimals(), trimmedSum.getDecimals());
     }
 }

From 0c69f0ea7aee1e7827055a26c9944f7baf19161c Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Tue, 12 Mar 2024 10:30:14 -0400
Subject: [PATCH 12/18] evm: use bound in place of vm.assume

---
 evm/test/RateLimit.t.sol | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index b13d7aba5..936c6857e 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -953,8 +953,8 @@ contract TestRateLimit is Test, IRateLimiterEvents {
     }
 
     function testFuzz_inboundRateLimitShouldQueue(uint256 inboundLimitAmt, uint256 amount) public {
-        vm.assume(amount > 0 && amount <= type(uint64).max);
-        vm.assume(inboundLimitAmt < amount);
+        amount = bound(amount, 1, type(uint64).max);
+        inboundLimitAmt = bound(amount, 0, amount - 1);
 
         address user_B = address(0x456);
 

From 03ecf97e76647b384c808f9a57ad476d03f7e82e Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Tue, 12 Mar 2024 15:22:29 -0400
Subject: [PATCH 13/18] evm: test against inputs greater than u64MAX

---
 evm/test/RateLimit.t.sol | 68 +++++++++++++++++++++++-----------------
 1 file changed, 40 insertions(+), 28 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index 936c6857e..fcf7120fc 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -11,6 +11,7 @@ import "wormhole-solidity-sdk/testing/helpers/WormholeSimulator.sol";
 import "openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Proxy.sol";
 import "./libraries/TransceiverHelpers.sol";
 import "./libraries/NttManagerHelpers.sol";
+import "wormhole-solidity-sdk/libraries/BytesParsing.sol";
 
 pragma solidity >=0.8.8 <0.9.0;
 
@@ -19,6 +20,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
     using TrimmedAmountLib for uint256;
     using TrimmedAmountLib for TrimmedAmount;
+    using BytesParsing for bytes;
 
     uint16 constant chainId = 7;
 
@@ -731,6 +733,27 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         return transceivers;
     }
 
+    function expectRevert(
+        address contractAddress,
+        bytes memory encodedSignature,
+        string memory expectedRevert
+    ) internal {
+        (bool success, bytes memory result) = contractAddress.call(
+            encodedSignature
+        );
+        require(!success, "call did not revert");
+
+        console.log("result: %s", result.length);
+        // // compare revert strings
+        bytes32 expectedRevertHash = keccak256(abi.encode(expectedRevert));
+        (bytes memory res,) = result.slice(4, result.length - 4);
+        bytes32 actualRevertHash = keccak256(abi.encodePacked(res));
+        require(
+             expectedRevertHash == actualRevertHash,
+            "call did not revert as expected"
+        );
+    }
+
     // transfer tokens from user_A to user_B
     // this consumes capacity on the outbound side
     // send tokens from user_B to user_A
@@ -738,47 +761,36 @@ contract TestRateLimit is Test, IRateLimiterEvents {
     // send tokens from user_A to user_B
     // this should consume capacity on the outbound side
     // and backfill the inbound side
-    function testFuzz_CircularFlowBackFilling(uint64 mintAmt, uint256 transferAmt) public {
-        mintAmt = uint64(bound(mintAmt, 2, type(uint256).max));
-        transferAmt = uint64(bound(transferAmt, 1, mintAmt - 1));
+    function testFuzz_CircularFlowBackFilling(uint256 mintAmt, uint256 transferAmt) public {
+        mintAmt = bound(mintAmt, 1, type(uint256).max);
+        // enforces transferAmt <= mintAmt
+        transferAmt = bound(transferAmt, 0, mintAmt);
 
         (address user_A, address user_B, DummyToken token, uint8 decimals) = setupToken();
 
-        TrimmedAmount mintAmount = packTrimmedAmount(mintAmt, 8);
+        // allow for amounts greater than uint64 to check if [`setOutboundLimit`] reverts
+        // on amounts greater than u64 MAX.
+        if (mintAmt.scale(decimals, 8) > type(uint64).max) {
+            vm.expectRevert("SafeCast: value doesn't fit in 64 bits");
+            nttManager.setOutboundLimit(mintAmt);
+
+            return;
+        }
+
+        nttManager.setOutboundLimit(mintAmt);
+        TrimmedAmount mintAmount = mintAmt.trim(decimals, 8);
         token.mintDummy(address(user_A), mintAmount.untrim(decimals));
         nttManager.setOutboundLimit(mintAmount.untrim(decimals));
 
-        // transfer 10 tokens
         vm.startPrank(user_A);
-
-        // TrimmedAmount memory transferAmount = TrimmedAmount(transferAmt, 8);
         token.approve(address(nttManager), type(uint256).max);
 
-        // TODO: also fuzz the fromDecimals?
-
-        // allow for amounts greater than uint64 to check if [`transfer`] reverts
-        // on amounts greater than u64 MAX.
         TrimmedAmount transferAmount = transferAmt.trim(decimals, 8);
 
         // check error conditions
+        // revert if amount to be transferred is 0
         if (transferAmount.getAmount() == 0) {
-            vm.expectRevert();
-            // transfer tokens from user_A -> user_B via the nttManager
-            nttManager.transfer(
-                transferAmount.untrim(decimals),
-                chainId,
-                toWormholeFormat(user_B),
-                false,
-                new bytes(1)
-            );
-
-            return;
-        }
-
-        if (transferAmount.getAmount() > type(uint64).max) {
-            bytes4 selector = bytes4(keccak256("AmountTooLarge(uint256)"));
-            vm.expectRevert(abi.encodeWithSelector(selector, transferAmt));
-
+            vm.expectRevert(abi.encodeWithSelector(INttManager.ZeroAmount.selector));
             nttManager.transfer(
                 transferAmount.untrim(decimals),
                 chainId,

From b4e43e670f3e14dc6a6025f85ae7cf4eb6b40203 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Tue, 12 Mar 2024 15:54:32 -0400
Subject: [PATCH 14/18] evm: use explicit error selectors in reverts

---
 evm/test/RateLimit.t.sol | 75 +++++++++++++++++++++++-----------------
 1 file changed, 44 insertions(+), 31 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index fcf7120fc..fe1cd2572 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -342,8 +342,11 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         uint256 transferAmount = 3 * 10 ** decimals;
         token.approve(address(nttManager), transferAmount);
 
-        bytes4 selector = bytes4(keccak256("NotEnoughCapacity(uint256,uint256)"));
-        vm.expectRevert(abi.encodeWithSelector(selector, outboundLimit, transferAmount));
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                IRateLimiter.NotEnoughCapacity.selector, outboundLimit, transferAmount
+            )
+        );
         nttManager.transfer(transferAmount, chainId, toWormholeFormat(user_B), false, new bytes(1));
     }
 
@@ -377,9 +380,12 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         uint256 badTransferAmount = 2 * 10 ** decimals;
         token.approve(address(nttManager), badTransferAmount);
 
-        bytes4 selector = bytes4(keccak256("NotEnoughCapacity(uint256,uint256)"));
         vm.expectRevert(
-            abi.encodeWithSelector(selector, newCapacity.untrim(decimals), badTransferAmount)
+            abi.encodeWithSelector(
+                IRateLimiter.NotEnoughCapacity.selector,
+                newCapacity.untrim(decimals),
+                badTransferAmount
+            )
         );
         nttManager.transfer(
             badTransferAmount, chainId, toWormholeFormat(user_B), false, new bytes(1)
@@ -430,9 +436,11 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         vm.warp(durationElapsedTime - 1);
 
         // assert that transfer still can't be completed
-        bytes4 stillQueuedSelector =
-            bytes4(keccak256("OutboundQueuedTransferStillQueued(uint64,uint256)"));
-        vm.expectRevert(abi.encodeWithSelector(stillQueuedSelector, 0, initialBlockTimestamp));
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                IRateLimiter.OutboundQueuedTransferStillQueued.selector, 0, initialBlockTimestamp
+            )
+        );
         nttManager.completeOutboundQueuedTransfer(0);
 
         // now complete transfer
@@ -441,8 +449,9 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         assertEq(seq, 0);
 
         // now ensure transfer was removed from queue
-        bytes4 notFoundSelector = bytes4(keccak256("OutboundQueuedTransferNotFound(uint64)"));
-        vm.expectRevert(abi.encodeWithSelector(notFoundSelector, 0));
+        vm.expectRevert(
+            abi.encodeWithSelector(IRateLimiter.OutboundQueuedTransferNotFound.selector, 0)
+        );
         nttManager.completeOutboundQueuedTransfer(0);
     }
 
@@ -544,10 +553,12 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         {
             // assert that transfer still can't be completed
-            bytes4 stillQueuedSelector =
-                bytes4(keccak256("InboundQueuedTransferStillQueued(bytes32,uint256)"));
             vm.expectRevert(
-                abi.encodeWithSelector(stillQueuedSelector, digest, initialBlockTimestamp)
+                abi.encodeWithSelector(
+                    IRateLimiter.InboundQueuedTransferStillQueued.selector,
+                    digest,
+                    initialBlockTimestamp
+                )
             );
             nttManager.completeInboundQueuedTransfer(digest);
         }
@@ -558,8 +569,9 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         {
             // assert transfer no longer in queue
-            bytes4 notQueuedSelector = bytes4(keccak256("InboundQueuedTransferNotFound(bytes32)"));
-            vm.expectRevert(abi.encodeWithSelector(notQueuedSelector, digest));
+            vm.expectRevert(
+                abi.encodeWithSelector(IRateLimiter.InboundQueuedTransferNotFound.selector, digest)
+            );
             nttManager.completeInboundQueuedTransfer(digest);
         }
 
@@ -738,9 +750,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         bytes memory encodedSignature,
         string memory expectedRevert
     ) internal {
-        (bool success, bytes memory result) = contractAddress.call(
-            encodedSignature
-        );
+        (bool success, bytes memory result) = contractAddress.call(encodedSignature);
         require(!success, "call did not revert");
 
         console.log("result: %s", result.length);
@@ -748,10 +758,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         bytes32 expectedRevertHash = keccak256(abi.encode(expectedRevert));
         (bytes memory res,) = result.slice(4, result.length - 4);
         bytes32 actualRevertHash = keccak256(abi.encodePacked(res));
-        require(
-             expectedRevertHash == actualRevertHash,
-            "call did not revert as expected"
-        );
+        require(expectedRevertHash == actualRevertHash, "call did not revert as expected");
     }
 
     // transfer tokens from user_A to user_B
@@ -948,9 +955,11 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         vm.warp(durationElapsedTime - 1);
 
         // assert that transfer still can't be completed
-        bytes4 stillQueuedSelector =
-            bytes4(keccak256("OutboundQueuedTransferStillQueued(uint64,uint256)"));
-        vm.expectRevert(abi.encodeWithSelector(stillQueuedSelector, 0, initialBlockTimestamp));
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                IRateLimiter.OutboundQueuedTransferStillQueued.selector, 0, initialBlockTimestamp
+            )
+        );
         nttManager.completeOutboundQueuedTransfer(0);
 
         // now complete transfer
@@ -959,8 +968,9 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         assertEq(seq, 0);
 
         // now ensure transfer was removed from queue
-        bytes4 notFoundSelector = bytes4(keccak256("OutboundQueuedTransferNotFound(uint64)"));
-        vm.expectRevert(abi.encodeWithSelector(notFoundSelector, 0));
+        vm.expectRevert(
+            abi.encodeWithSelector(IRateLimiter.OutboundQueuedTransferNotFound.selector, 0)
+        );
         nttManager.completeOutboundQueuedTransfer(0);
     }
 
@@ -1027,10 +1037,12 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         {
             // assert that transfer still can't be completed
-            bytes4 stillQueuedSelector =
-                bytes4(keccak256("InboundQueuedTransferStillQueued(bytes32,uint256)"));
             vm.expectRevert(
-                abi.encodeWithSelector(stillQueuedSelector, digest, initialBlockTimestamp)
+                abi.encodeWithSelector(
+                    IRateLimiter.InboundQueuedTransferStillQueued.selector,
+                    digest,
+                    initialBlockTimestamp
+                )
             );
             nttManager.completeInboundQueuedTransfer(digest);
         }
@@ -1041,8 +1053,9 @@ contract TestRateLimit is Test, IRateLimiterEvents {
 
         {
             // assert transfer no longer in queue
-            bytes4 notQueuedSelector = bytes4(keccak256("InboundQueuedTransferNotFound(bytes32)"));
-            vm.expectRevert(abi.encodeWithSelector(notQueuedSelector, digest));
+            vm.expectRevert(
+                abi.encodeWithSelector(IRateLimiter.InboundQueuedTransferNotFound.selector, digest)
+            );
             nttManager.completeInboundQueuedTransfer(digest);
         }
 

From a11c15092e7215f7e0750e412b250ca3e2894627 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Thu, 14 Mar 2024 13:17:50 -0400
Subject: [PATCH 15/18] evm: rename inputs for more clarity

---
 evm/test/TrimmedAmount.t.sol | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 1bc89a8e9..58cd45f5c 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -221,27 +221,34 @@ contract TrimmingTest is Test {
         assertEq(expectedIsLt, isLt);
     }
 
+    function testFuzz_trimisNOOP(uint256 amount, uint8 aDecimals, uint8 bDecimals) {
+        uint256 amt = bound(amount, 1, type(uint64).max);
+        vm.assume(aDecimals <= 50);
+        vm.assume(bDecimals <= 50);
+
+    }
+
     // invariant: forall (x: uint256, y: uint8, z: uint8),
     //            (x <= type(uint64).max, y <= z)
     //                    => (x.trim(x, 8).untrim(y) == x)
     function testFuzz_trimIsLeftInverse(
         uint256 amount,
-        uint8 fromDecimals,
-        uint8 toDecimals
+        uint8 aDecimals,
+        uint8 bDecimals
     ) public {
         uint256 amt = bound(amount, 1, type(uint64).max);
-        vm.assume(fromDecimals <= 50);
-        vm.assume(toDecimals <= 50);
+        vm.assume(aDecimals <= 50);
+        vm.assume(bDecimals <= 50);
 
         // NOTE: this is guaranteeed by trimming
-        vm.assume(fromDecimals <= 8 && fromDecimals <= toDecimals);
+        vm.assume(aDecimals <= 8 && aDecimals <= bDecimals);
 
         // initialize TrimmedAmount
-        TrimmedAmount trimmedAmount = packTrimmedAmount(uint64(amt), fromDecimals);
+        TrimmedAmount trimmedAmount = packTrimmedAmount(uint64(amt), aDecimals);
 
-        // trimming is left inverse of trimming
-        uint256 amountUntrimmed = trimmedAmount.untrim(toDecimals);
-        TrimmedAmount amountRoundTrip = amountUntrimmed.trim(toDecimals, fromDecimals);
+        // trimming is the left inverse of trimming
+        uint256 amountUntrimmed = trimmedAmount.untrim(bDecimals);
+        TrimmedAmount amountRoundTrip = amountUntrimmed.trim(bDecimals, aDecimals);
 
         assertEq(trimmedAmount.getAmount(), amountRoundTrip.getAmount());
     }

From bd05006c23edc32bb2c85dff3ff48bd7cab3dbc5 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Fri, 15 Mar 2024 09:44:00 -0400
Subject: [PATCH 16/18] evm: simplify trimming is left inverse test

---
 evm/test/TrimmedAmount.t.sol | 31 +++++++++----------------------
 1 file changed, 9 insertions(+), 22 deletions(-)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 58cd45f5c..b0d205865 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -221,34 +221,21 @@ contract TrimmingTest is Test {
         assertEq(expectedIsLt, isLt);
     }
 
-    function testFuzz_trimisNOOP(uint256 amount, uint8 aDecimals, uint8 bDecimals) {
-        uint256 amt = bound(amount, 1, type(uint64).max);
+    // invariant: forall (x: TrimmedAmount, aDecimals: uint8, bDecimals: uint8),
+    //            (x.amount <= type(uint64).max)
+    //                    => (trim(untrim(x)) == x)
+    function testFuzz_trimIsLeftInverse(uint256 amount, uint8 aDecimals, uint8 bDecimals) public {
+        // restrict inputs up to u64MAX. Inputs above u64 are tested elsewhere
+        amount = bound(amount, 0, type(uint64).max);
         vm.assume(aDecimals <= 50);
         vm.assume(bDecimals <= 50);
 
-    }
-
-    // invariant: forall (x: uint256, y: uint8, z: uint8),
-    //            (x <= type(uint64).max, y <= z)
-    //                    => (x.trim(x, 8).untrim(y) == x)
-    function testFuzz_trimIsLeftInverse(
-        uint256 amount,
-        uint8 aDecimals,
-        uint8 bDecimals
-    ) public {
-        uint256 amt = bound(amount, 1, type(uint64).max);
-        vm.assume(aDecimals <= 50);
-        vm.assume(bDecimals <= 50);
-
-        // NOTE: this is guaranteeed by trimming
-        vm.assume(aDecimals <= 8 && aDecimals <= bDecimals);
-
         // initialize TrimmedAmount
-        TrimmedAmount trimmedAmount = packTrimmedAmount(uint64(amt), aDecimals);
+        TrimmedAmount trimmedAmount = amount.trim(aDecimals, bDecimals);
 
         // trimming is the left inverse of trimming
-        uint256 amountUntrimmed = trimmedAmount.untrim(bDecimals);
-        TrimmedAmount amountRoundTrip = amountUntrimmed.trim(bDecimals, aDecimals);
+        // e.g. trim(untrim(x)) == x
+        TrimmedAmount amountRoundTrip = (trimmedAmount.untrim(bDecimals)).trim(bDecimals, aDecimals);
 
         assertEq(trimmedAmount.getAmount(), amountRoundTrip.getAmount());
     }

From 8c95b29cbf196d6e6254b36d0e68f5551a438f77 Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Fri, 15 Mar 2024 11:15:32 -0400
Subject: [PATCH 17/18] evm: test additional invariants

---
 evm/test/TrimmedAmount.t.sol | 91 ++++++++++++++++++++++++++++--------
 1 file changed, 72 insertions(+), 19 deletions(-)

diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index b0d205865..680a330ea 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -221,25 +221,6 @@ contract TrimmingTest is Test {
         assertEq(expectedIsLt, isLt);
     }
 
-    // invariant: forall (x: TrimmedAmount, aDecimals: uint8, bDecimals: uint8),
-    //            (x.amount <= type(uint64).max)
-    //                    => (trim(untrim(x)) == x)
-    function testFuzz_trimIsLeftInverse(uint256 amount, uint8 aDecimals, uint8 bDecimals) public {
-        // restrict inputs up to u64MAX. Inputs above u64 are tested elsewhere
-        amount = bound(amount, 0, type(uint64).max);
-        vm.assume(aDecimals <= 50);
-        vm.assume(bDecimals <= 50);
-
-        // initialize TrimmedAmount
-        TrimmedAmount trimmedAmount = amount.trim(aDecimals, bDecimals);
-
-        // trimming is the left inverse of trimming
-        // e.g. trim(untrim(x)) == x
-        TrimmedAmount amountRoundTrip = (trimmedAmount.untrim(bDecimals)).trim(bDecimals, aDecimals);
-
-        assertEq(trimmedAmount.getAmount(), amountRoundTrip.getAmount());
-    }
-
     // invariant: forall (TrimmedAmount a, TrimmedAmount b)
     //            a.saturatingAdd(b).amount <= type(uint64).max
     function testFuzz_saturatingAddDoesNotOverflow(TrimmedAmount a, TrimmedAmount b) public {
@@ -316,4 +297,76 @@ contract TrimmingTest is Test {
         assertEq(expectedTrimmedSum.getAmount(), trimmedSum.getAmount());
         assertEq(expectedTrimmedSum.getDecimals(), trimmedSum.getDecimals());
     }
+
+    function testFuzz_trimmingInvariants(
+        uint256 amount,
+        uint256 amount2,
+        uint8 fromDecimals,
+        uint8 midDecimals,
+        uint8 toDecimals
+    ) public {
+        // restrict inputs up to u64MAX. Inputs above u64 are tested elsewhere
+        amount = bound(amount, 0, type(uint64).max);
+        amount2 = bound(amount, 0, type(uint64).max);
+        vm.assume(fromDecimals <= 50);
+        vm.assume(toDecimals <= 50);
+
+        TrimmedAmount trimmedAmt = amount.trim(fromDecimals, toDecimals);
+        TrimmedAmount trimmedAmt2 = amount2.trim(fromDecimals, toDecimals);
+        uint256 untrimmedAmt = trimmedAmt.untrim(fromDecimals);
+        uint256 untrimmedAmt2 = trimmedAmt2.untrim(fromDecimals);
+
+        // trimming is the left inverse of trimming
+        // invariant: forall (x: TrimmedAmount, fromDecimals: uint8, toDecimals: uint8),
+        //            (x.amount <= type(uint64).max)
+        //                    => (trim(untrim(x)) == x)
+        TrimmedAmount amountRoundTrip = untrimmedAmt.trim(fromDecimals, toDecimals);
+        assertEq(trimmedAmt.getAmount(), amountRoundTrip.getAmount());
+
+        // trimming is a NOOP
+        // invariant:
+        //     forall (x: uint256, y: uint8, z: uint8),
+        //            (y < z && (y < 8 || z < 8)), trim(x) == x
+        if (fromDecimals <= toDecimals && (fromDecimals < 8 || toDecimals < 8)) {
+            assertEq(trimmedAmt.getAmount(), uint64(amount));
+        }
+
+        // invariant: source amount is always greater than or equal to the trimmed amount
+        // this is also captured by the invariant above
+        assertGe(amount, trimmedAmt.getAmount());
+
+        // invariant: trimmed amount must not exceed the untrimmed amount
+        assertLe(trimmedAmt.getAmount(), untrimmedAmt);
+
+        // invariant: untrimmed amount must not exceed the source amount
+        assertLe(untrimmedAmt, amount);
+
+        // invariant:
+        //         the number of decimals after trimming must not exceed
+        //         the number of decimals before trimming
+        assertLe(trimmedAmt.getDecimals(), fromDecimals);
+
+        // invariant:
+        //      trimming and untrimming preserve ordering relations
+        if (amount > amount2) {
+            assertGt(untrimmedAmt, untrimmedAmt2);
+        } else if (amount < amount2) {
+            assertLt(untrimmedAmt, untrimmedAmt2);
+        } else {
+            assertEq(untrimmedAmt, untrimmedAmt2);
+        }
+
+        // invariant: trimming and untrimming are commutative when
+        //            the number of decimals are the same and less than or equal to 8
+        if (fromDecimals <= 8 && fromDecimals == toDecimals) {
+            assertEq(amount, untrimmedAmt);
+        }
+
+        // invariant: trimming and untrimming are associative
+        //            when there is no intermediate loss of precision
+        vm.assume(midDecimals >= fromDecimals);
+        TrimmedAmount trimmedAmtA = amount.trim(fromDecimals, midDecimals);
+        TrimmedAmount trimmedAmtB = amount.trim(fromDecimals, toDecimals);
+        assertEq(trimmedAmtA.untrim(toDecimals), trimmedAmtB.untrim(toDecimals));
+    }
 }

From 03759b18c3a1055eb3bcde67d30e99269e3ab72a Mon Sep 17 00:00:00 2001
From: Rahul Maganti <rahulmaganti@rahuls-mbp.mynetworksettings.com>
Date: Fri, 15 Mar 2024 13:08:42 -0400
Subject: [PATCH 18/18] evm: use bound instead of assume

---
 evm/test/RateLimit.t.sol     | 2 +-
 evm/test/TrimmedAmount.t.sol | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/evm/test/RateLimit.t.sol b/evm/test/RateLimit.t.sol
index fe1cd2572..916ccaa8b 100644
--- a/evm/test/RateLimit.t.sol
+++ b/evm/test/RateLimit.t.sol
@@ -918,7 +918,7 @@ contract TestRateLimit is Test, IRateLimiterEvents {
         uint256 totalAmt = (type(uint64).max) / (10 ** decimals);
         // avoids the ZeroAmount() error
         // cannot transfer more than what's available
-        vm.assume(transferAmt > 0 && transferAmt <= totalAmt);
+        transferAmt = bound(transferAmt, 1, totalAmt);
         // this ensures that the transfer is always queued up
         vm.assume(limitAmt < transferAmt);
 
diff --git a/evm/test/TrimmedAmount.t.sol b/evm/test/TrimmedAmount.t.sol
index 680a330ea..fae0c0f2d 100644
--- a/evm/test/TrimmedAmount.t.sol
+++ b/evm/test/TrimmedAmount.t.sol
@@ -316,7 +316,7 @@ contract TrimmingTest is Test {
         uint256 untrimmedAmt = trimmedAmt.untrim(fromDecimals);
         uint256 untrimmedAmt2 = trimmedAmt2.untrim(fromDecimals);
 
-        // trimming is the left inverse of trimming
+        // trimming is the left inverse of untrimming
         // invariant: forall (x: TrimmedAmount, fromDecimals: uint8, toDecimals: uint8),
         //            (x.amount <= type(uint64).max)
         //                    => (trim(untrim(x)) == x)