A production-grade repository demonstrating comprehensive smart contract testing expertise using Foundry, Solidity, and modern QA practices for Smart Contract QA/SDET engineers.
This repository showcases professional smart contract testing methodologies including unit testing, fuzz testing, invariant testing, security analysis, and CI/CD integration. It serves as a portfolio piece demonstrating deep understanding of smart contract security and testing best practices.
- Solidity:
0.8.24with latest security features - Foundry: Complete testing and development framework
- OpenZeppelin: Industry-standard secure contracts
- Slither: Static analysis for security vulnerabilities
- GitHub Actions: Automated CI/CD pipeline
smart-contract-testing-core/
βββ foundry.toml # Foundry configuration
βββ remappings.txt # Import remappings
βββ .gitignore # Git ignore rules
βββ .env.example # Environment variables template
βββ slither.config.json # Slither analysis configuration
βββ README.md # This file
β
βββ src/ # Source contracts
β βββ core/
β β βββ Vault.sol # Main vault contract
β βββ interfaces/
β β βββ IVault.sol # Vault interface
β βββ libraries/
β βββ VaultMath.sol # Mathematical utilities
β
βββ test/ # Test suite
β βββ unit/
β β βββ VaultTest.sol # Unit tests
β βββ fuzz/
β β βββ VaultFuzzTest.sol # Fuzz tests
β βββ invariant/
β β βββ VaultInvariantTest.sol # Invariant tests
β βββ mocks/
β β βββ MockVault.sol # Mock contract for testing
β βββ utils/
β βββ BaseTest.sol # Base test utilities
β
βββ script/ # Deployment scripts
β βββ DeployVault.s.sol # Vault deployment
β βββ InteractWithVault.s.sol # Interaction demo
β
βββ audit/ # Security audit documentation
β βββ threat-model.md # Threat analysis
β βββ manual-review-checklist.md # Review checklist
β βββ slither/
β βββ slither-findings-placeholder.md # Slither results
β
βββ .github/
βββ workflows/
βββ ci.yml # CI/CD pipeline
- Foundry installed
- Git for version control
- Node.js (for Slither analysis)
-
Clone the repository
git clone <repository-url> cd smart-contract-testing-core
-
Install Foundry dependencies
forge install
-
Set up environment variables
cp .env.example .env # Edit .env with your configuration
# Run all unit tests
forge test --no-match-contract invariant -vvv
# Run specific test file
forge test --match-contract VaultTest -vvv# Run fuzz tests with default runs
forge test --fuzz-runs 256 --no-match-contract invariant -vvv
# Run fuzz tests with more runs for thorough testing
forge test --fuzz-runs 1000 --no-match-contract invariant -vvv# Run invariant tests
forge test --match-contract invariant --invariant-runs 1000 --invariant-depth 50 -vvv
# Run invariant tests with CI profile (more runs)
forge test --match-contract invariant --profile ci -vvv# Generate coverage report
forge coverage --report lcov --report summary
# View coverage in browser
npx serve coverage/# Build contracts
forge build
# Build with size information
forge build --sizes# Run all tests
forge test
# Run tests with verbosity
forge test -vvv
# Run specific test
forge test --match-test testDeposit_Success -vvv# Generate gas report
forge test --gas-report
# Gas optimization hints
forge snapshot# Format code
forge fmt
# Check formatting without changes
forge fmt --check# Install Slither
pip3 install slither-analyzer
# Run Slither analysis
slither .
# Generate reports
slither . --json slither-results/slither-report.json
slither . --markdown slither-results/slither-report.md
# Run with custom configuration
slither . --config slither.config.json- Reentrancy protection implemented
- Integer overflow/underflow protection
- Access control mechanisms
- Input validation
- Event emission for state changes
- Emergency pause functionality
- Comprehensive test coverage
The Vault contract is a simple yet secure ETH vault with the following features:
- ETH Deposits: Users can deposit ETH with proper balance tracking
- ETH Withdrawals: Users can withdraw their deposited ETH
- Emergency Pause: Owner can pause/unpause operations in emergencies
- Reentrancy Protection: All critical functions protected against reentrancy
- Access Control: Owner-only admin functions
- Event Emission: All operations emit appropriate events
- Zero Amount Protection: Rejects zero-amount operations
// Deposit ETH
function deposit() external payable;
// Withdraw ETH
function withdraw(uint256 amount) external;
// Get user balance
function getBalance(address user) external view returns (uint256);
// Emergency pause (owner only)
function emergencyPause() external;
// Unpause (owner only)
function unpause() external;- Coverage: All public functions and edge cases
- Focus: Correct behavior, error handling, state changes
- Tools: Foundry's testing framework with custom assertions
- Coverage: Arbitrary input validation
- Focus: Boundary conditions, unexpected inputs
- Tools: Foundry's fuzz testing with
vm.assume()
- Coverage: System-level properties
- Focus: State consistency, business rules
- Tools: Foundry's invariant testing with handler pattern
- Coverage: Common vulnerability patterns
- Focus: Reentrancy, access control, arithmetic
- Tools: Slither static analysis, manual review
# Deploy to local Anvil node
anvil
forge script script/DeployVault.s.sol --rpc-url http://localhost:8545 --broadcast# Deploy to Sepolia testnet
forge script script/DeployVault.s.sol --rpc-url $SEPOLIA_RPC_URL --private-key $PRIVATE_KEY --broadcast --verify# Run interaction demo
forge script script/InteractWithVault.s.sol --rpc-url $RPC_URL --private-key $PRIVATE_KEY --broadcastThe repository includes a comprehensive GitHub Actions pipeline that:
- Builds contracts and verifies compilation
- Runs unit tests with high verbosity
- Executes fuzz tests with extensive runs
- Performs invariant testing with deep analysis
- Analyzes gas consumption and optimization
- Runs Slither security analysis
- Generates coverage reports
- Deploys to testnet on main branch merges
- Performs integration testing
- Build & Test: Core testing and validation
- Security: Comprehensive security analysis
- Deploy: Automated testnet deployment
- Integration: End-to-end testing
- Performance: Gas optimization benchmarks
This repository demonstrates:
- Testing Excellence: Comprehensive test coverage across unit, fuzz, and invariant testing
- Security Mindset: Proactive security analysis and vulnerability prevention
- Modern Tooling: Mastery of Foundry, Slither, and industry-standard tools
- CI/CD Discipline: Automated testing and deployment pipelines
- Clean Architecture: Well-structured, maintainable codebase
- Documentation: Clear, comprehensive documentation for all components
- Foundry Mastery: Advanced testing patterns and techniques
- Security Best Practices: Real-world security implementation
- Professional Standards: Production-ready code quality
- Testing Methodologies: Systematic approach to smart contract testing
- DevOps Integration: CI/CD pipeline for smart contracts
This repository serves as a comprehensive demonstration of:
- Technical expertise in smart contract development
- Deep understanding of security principles
- Professional testing methodologies
- Modern development practices
- Problem-solving capabilities
This is a demonstration repository. For production use, consider:
- Multi-sig ownership for enhanced security
- Rate limiting for deposits/withdrawals
- Upgradeability patterns for future enhancements
- Comprehensive monitoring and alerting
MIT License - feel free to use this code for learning and reference.
- Foundry Documentation
- OpenZeppelin Contracts
- Slither Static Analyzer
- Solidity Security Considerations
For questions about this repository or smart contract testing practices, feel free to reach out or open an issue.
Built with β€οΈ for the Smart Contract QA/SDET community