Foundry Setup for Smart Contract Development
We integrate Foundry into your smart contract development pipeline. Unlike Hardhat, the Rust-based Foundry delivers up to 50x speed improvement on tests, but it requires proper configuration of profiles and dependencies. Without this, you risk unstable builds or missing reentrancy issues during testing.
A blockchain developer's life is endless iterations: compile, run tests, find a bug, fix, run again. Foundry makes this cycle dozens of times faster, but to unlock its potential, you need the right configuration. We will set it up for you turnkey. In 5 years of work, we have configured Foundry for 50+ projects—from simple ERC-20s to complex DeFi protocols on L2.
Why Foundry Is Faster Than Hardhat
Foundry is written in Rust and compiles Solidity directly via solc, eliminating intermediate layers. Tests run in a native environment, and fuzzing works out of the box. The result is 10–50x faster compilation and testing on typical DeFi projects. As noted in the Foundry documentation, a benchmark on a project with 200 tests shows 3 seconds versus 45 seconds for Hardhat.
Installation and Basic Configuration
The foundryup command installs the latest toolchain. A project is initialized via forge init my-project. The basic structure:
my-project/
├── foundry.toml
├── src/
├── test/
├── script/
└── lib/
The foundry.toml file is the heart of the configuration. We set up two profiles: a fast one for local development and a deeper one for CI.
| Parameter |
[profile.default] |
[profile.ci] |
| fuzz.runs |
1000 |
10000 |
| invariant.runs |
256 |
1000 |
| invariant.depth |
500 |
1000 |
This approach lets you test basic logic in minutes locally and obtain reliable results on CI.
[profile.default]
src = "src"
out = "out"
libs = ["lib"]
solc = "0.8.24"
optimizer = true
optimizer_runs = 200
fuzz = { runs = 1000 }
invariant = { runs = 256, depth = 500 }
[profile.ci]
fuzz = { runs = 10000 }
invariant = { runs = 1000, depth = 1000 }
How to Set Up a CI Profile in Foundry?
The CI profile requires more aggressive fuzzing and depth for invariant tests. Configure it separately in foundry.toml and run via forge test --profile ci -vvv. In the CI pipeline we also enable --gas-report and additional Slither checks.
Dependencies via forge install
We pull in OpenZeppelin, forge-std, and other libraries.
forge install OpenZeppelin/openzeppelin-contracts
forge install foundry-rs/forge-std
After installation, add remappings:
remappings = [
"@openzeppelin/=lib/openzeppelin-contracts/",
"forge-std/=lib/forge-std/src/",
]
Dependencies are stored as git submodules—this is the Foundry standard, ensuring reproducibility.
Tip: How to avoid remapping conflicts
If multiple libraries export the same paths, use priority in foundry.toml: remappings are processed in declaration order. Always verify compilation after adding a new dependency.
How to Set Up Fork Testing with Anvil?
Anvil is a local node with mainnet fork capability. This is a key feature for integration tests.
anvil --fork-url $MAINNET_RPC --fork-block-number 19000000 --chain-id 1
You get a copy of the mainnet state at a specific block without mocks. Our experience shows that fork tests catch non-obvious errors that unit tests miss. In one project, an invariant test found three logical errors in 20 minutes that manual tests missed: in a deposit → withdraw → deposit chain, totalSupply diverged by 1 wei due to rounding.
Fuzz and Invariant Tests
Fuzzing works automatically—just pass a random parameter to the test.
function testFuzz_Deposit(uint256 amount) public {
amount = bound(amount, 1, 1e27);
token.mint(alice, amount);
vm.prank(alice);
vault.deposit(amount);
assertEq(vault.balanceOf(alice), amount);
}
Invariant tests verify that system invariants hold after any sequence of calls.
function invariant_TotalSupplyEqualsDeposits() public {
assertEq(vault.totalSupply(), vault.totalDeposits());
}
CI Integration (GitHub Actions)
We set up a pipeline that runs tests with the CI profile on every commit.
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
- name: Run tests
run: forge test --profile ci -v
env:
FOUNDRY_ETH_RPC_URL: ${{ secrets.MAINNET_RPC }}
What's Included in the Setup
- Configuration of foundry.toml with default/ci profiles
- Installation and remapping of dependencies (OpenZeppelin, forge-std)
- Setup of Anvil with mainnet fork for integration tests
- Writing basic fuzz and invariant tests
- CI pipeline with GitHub Actions (GitLab, CircleCI on request)
- Documentation on the flags and commands used
Timelines
Setting up Foundry with dependencies, profiles, and CI takes 2 to 6 hours depending on project complexity. This includes writing template tests and debugging the fork. The cost is determined individually after analysis.
Why Choose Our Setup?
We don't just copy template configurations—we analyze your project structure, select optimal fuzzing and invariant parameters, and set up gas reporting. Over 5 years of blockchain development experience and 50+ successful projects guarantee that your configuration will work reliably.
Contact us to get a consultation on Foundry setup for your project. We'll assess your tasks and propose the optimal solution.
Note: Setup costs depend on the scope of work and are discussed individually.
Smart Contract Development
We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().
Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.
How We Develop Smart Contracts Turnkey
We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).
| Language |
Execution Model |
Typical Domain |
Risks |
| Solidity 0.8.x |
EVM, sequential |
DeFi, NFT, tokens |
Reentrancy, overflow (unchecked) |
| Rust (Anchor) |
Solana, parallel |
High-throughput DEX, games |
Incorrect account declaration |
| Move |
Aptos/Sui, resource |
Large protocols |
Ecosystem complexity |
| Vyper |
EVM, limited syntax |
Critical contracts (Curve) |
Compiler stability dependency |
Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.
Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.
Why Smart Contract Audit Is Critical for Security
Audit is not a one-time check—it is a built-in development stage. We use three levels:
-
Static analysis—
Slither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
-
Fuzzing and invariant tests—
Foundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
-
Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.
Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.
What Upgrade Patterns Do We Choose?
| Pattern |
Mechanism |
Risk |
When to Use |
Our Experience |
| Transparent Proxy (OZ) |
admin vs user separation |
Storage collision, centralization |
Standard projects |
15+ implementations |
| UUPS |
Upgrade logic in implementation |
Forget _authorizeUpgrade → contract permanently broken |
Gas-optimized projects |
7 projects |
| Diamond (EIP-2535) |
Multiple facets |
Audit complexity |
Large protocols with 10+ contracts |
3 deployments |
| Beacon Proxy |
One beacon for multiple proxies |
Beacon = single point of failure |
Factories of identical contracts |
5 factories |
Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.
How to Protect a Contract from MEV and Front-Running
On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.
What Is the Development Process?
-
Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
-
Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
-
Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
-
External audit—for projects with real money. Timeline: 2–4 weeks.
-
Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
-
Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.
What Is Included
- Architecture documentation and contract specification (NatSpec).
- Source code with repository and CI (Slither, Foundry, coverage).
- Deployed contract with verification on blockchain explorer.
- Audit results (internal and external upon request).
- Access to monitoring and management (Gnosis Safe).
- Code warranty: critical bug fixes within one month after deployment.
- Consultation on web integration (wagmi, RainbowKit).
Estimated Timelines
- ERC-20 token with basic functions: 1–2 weeks
- Vesting contract with cliff/linear schedule: 2–3 weeks
- NFT ERC-721/1155 with marketplace: 4–6 weeks
- AMM or lending protocol: 2–4 months
- Multichain protocol with bridge: 4–7 months
Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.
Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.