Term Finance TermAuction Clearing Assignment

Invariant

\texttt{bidAssignmentRatesRespectClearing}

Bid rate floor
Every positive assigned bid has price at least the clearing price.

\;\land\;

\texttt{offerAssignmentRatesRespectClearing}

Offer rate ceiling
Every positive assigned offer has price at most the clearing price.

\;\land\;

\texttt{assignedBidPrincipal}=\texttt{maxAssignable}

Bid principal
Total assigned borrower principal reaches the shared cap.

\;\land\;

\texttt{assignedOfferPrincipal}=\texttt{maxAssignable}

Offer principal
Total assigned lender principal reaches the same shared cap.

Filled borrowers must be willing to pay the clearing price, filled lenders must be willing to accept it, and total borrowed principal must equal total lent principal.

View Lean

Term Finance lets borrowers and lenders agree on fixed-rate loans through recurring auctions. Borrowers submit the highest rate they are willing to pay. Lenders submit the lowest rate they are willing to accept. The auction chooses one clearing rate for the matched loans and assigns purchase-token principal to both sides.

Why It Matters

The clearing price becomes the fixed interest rate for every matched loan. If a bid below that rate or an offer above that rate were assigned, one side could be forced into a worse rate than it submitted.

The auction also computes maxAssignable: the amount of principal that can be matched between borrowers and lenders at the clearing price. The same cap is passed to the bid assignment loop and the offer assignment loop. If the two sides assigned different purchase-token principal, the repo could become insolvent or leave funds stuck after the auction.

How This Was Modeled and Proven

The benchmark models _assignBids and _assignOffers as pure purchase-token assignment functions. It treats the clearing price and shared cap as outputs of the clearing step and assumes they satisfy the same eligible-demand and eligible-supply capacity relation returned by _calculateClearingPrice.

Scope is deliberate. The model covers successful assignment at purchase-token-principal level. It keeps sorted bid and offer arrays as the real input-boundary hypothesis, although the assignment proof is order-insensitive once the capacity relation is assumed. It does not prove the search loop that finds the clearing point. It also does not prove settlement-level repurchase value, because settlement floors interest and the protocol checks a bounded repo-balance threshold.

The proof status is PROOF for this scoped assignment theorem. The earlier residual-sweep obligations are now discharged by induction over the modeled bid and offer sweeps. The proof shows that the capped sweeps assign exactly maxAssignable when eligible demand and supply cover that cap, and that every positive assignment came from a branch whose price guard was true.

Scope

This case targets TermAuction.sol at commit 127b74d871fc74e3a03d6d3b0f1fafe7e5d10275. The modeled functions are:

_assignBids as a high-price-first purchase-token principal sweep over the sorted bid array.
_assignOffers as a low-price-first purchase-token principal sweep over the sorted offer array.
_calculateClearingPrice through the theorem hypothesis ClearingPointCapacity, not as a proved search-loop implementation.

The model abstracts the pro-rata floor arithmetic inside a marginal price group to a residual sweep. That is enough for the theorem proved here: the side total reaches exactly maxAssignable and every positive assignment respects the clearing-rate guard. It does not claim to prove the per-tender distribution inside the marginal group.

Out of scope: nonzero clearing offsets, reverting executions, external locker and token calls, events, controller checks, rollover and collateral-manager behavior, fixed-width overflow reasoning, and settlement-level repurchase-value balance after floor rounding.

Proof artifacts

Contract.lean contains the focused assignment model, eligible demand and supply sums, and the ClearingPointCapacity predicate.
Specs.lean states the readable invariant: bid rate floor, offer rate ceiling, bid total, offer total, and equality between the two sides.
Proofs.lean proves the residual-sweep totals and rate guards, then proves clearing_assignment_correct.
The case directory includes the compile target and generated task prompt.

Function	Theorem	Status
_assignBids / _assignOffers	clearing_assignment_correct	Proven

Verify it yourself

The model, spec, and proof artifacts are in the benchmark case. Read Contract.lean, Specs.lean, and Proofs.lean, then run:

git clone https://github.com/lfglabs-dev/verity-benchmark
cd verity-benchmark
lake build Benchmark.Cases.TermFinance.TermAuctionClearing.Proofs

Assumptions

The residual-sweep totals and rate guards are proved in Lean. The remaining assumptions are the protocol boundary conditions and scoped exclusions that define this assignment theorem.

SortedAscendingBidsmerged bid array is ascending by price
TermAuctionBidLocker input boundary
TermAuction assumes sorted input. The locker validates revealed bid order, and this benchmark treats the merged assignment array as sorted. The current assignment theorem does not consume this order after clearing capacity is assumed, but it remains part of the production input boundary.
SortedAscendingOffersmerged offer array is ascending by price
TermAuctionOfferLocker input boundary
TermAuction assumes sorted input. The locker validates revealed offer order, and this benchmark treats the merged assignment array as sorted. The current assignment theorem does not consume this order after clearing capacity is assumed, but it remains part of the production input boundary.
ClearingPointCapacitymaxAssignable is covered by eligible demand and supply
Contract.lean
The model assumes the clearing step returned a cap no larger than bids with price at least the clearing price and offers with price at most the clearing price. The assignment theorem is proved from this capacity relation; the clearing-price search loop itself is not proved in this case.
successful assignment pathpostcondition is about non-reverting assignment
Contract.lean scope
The benchmark models the successful path of assignment. External calls, events, controller checks, and token transfers are outside this purchase-token assignment slice.
clearingOffset = 0nonzero clearing offsets are out of scope
Contract.lean scope
The benchmark proves the zero-offset assignment slice. It does not model offset-adjusted clearing prices.
purchase-token principalsettlement-value rounding is out of scope
Contract.lean scope
The theorem proves exact equality of assigned principal. It does not prove the downstream bounded balance check after repurchase price rounding.

Learn More

More Research

Morpho Midnight Liquidation and Accounting Proofs

Machine-checked RCF recovery and bad-debt lender-credit accounting for Morpho Midnight, with pinned proof files and explicit Verity boundaries.

for

IPOR PlasmaVault Redeem Splitting

A formal-verification case study proving virtualized PPS safety for the public redeem arithmetic slice.

for

Zodiac Roles v3 Decoder Faithfulness

Formally verified calldata decoder faithfulness and bounds safety for the Roles v3 ABI walker.

for