Smart Contract Integration Testing on Mainnet Fork

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Smart Contract Integration Testing on Mainnet Fork
Medium
~2-3 days
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1347
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    948
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

Smart Contract Integration Testing on Mainnet Fork

In real development, unit tests often miss critical errors. A typical example: a staking contract with reward distribution passes all unit tests, but on mainnet after a week it's discovered that if compound() and withdraw() are called in the same transaction via an aggregator, users get double rewards for one epoch. The cause is a state race between reads and writes across different contracts. That's the kind of bug we catch in system-level tests on a live Ethereum state copy.

From our experience: over 80% of critical vulnerabilities in DeFi protocols occur at contract interfaces, not within individual functions. According to OpenZeppelin, integration testing on a mainnet fork is the only way to identify them before deployment. Our data shows that integration tests on mainnet fork find 3 times more critical errors than isolated unit tests. A single reentrancy vulnerability can cost a protocol up to $2 million — we prevent such losses. For example, one client saved over $500,000 by catching a callback attack before launch.

How Mainnet Fork Makes Tests Realistic

Instead of mocks, we use the real blockchain state. Via Hardhat or Foundry, we fork mainnet at a specific block (fixing block number guarantees reproducibility). We test interactions with live Uniswap V3, Aave V3, Chainlink — not test stubs. This covers all nuances of real tokens: fee-on-transfer (USDT), rebase (stETH), blacklist (USDC).

// hardhat.config.ts
networks: {
  hardhat: {
    forking: {
      url: process.env.ALCHEMY_URL,
      blockNumber: 19500000,
    }
  }
}

Why Integration Testing Is Critical for DeFi

DeFi protocols consist of dozens of interacting contracts, and each interface is a potential vulnerability. We don't test individual functions; we test end-to-end scenarios:

  • Multi-step DeFi: deposit → approve LP → stake → harvest → compound. The test checks final state after the chain.
  • Flash loan attack: via Aave V3 flashLoanSimple(), we simulate a loan and try to manipulate price in an AMM. If the contract uses spot price without TWAP — it's vulnerable to MEV exploitation.
  • Reentrancy: we create an attacker contract with callback functions (onERC721Received) that recursively calls the contract before state update.
  • Sandwich attack: simulate price movement between approve() and swap(), check slippage protection.

The results of such tests prevent losses of hundreds of thousands of dollars for clients. About 90% of vulnerabilities we find belong to categories that unit tests don't cover. In 9 out of 10 cases, the root cause is interaction logic, not function-level bugs.

Test Type Tool Covers
Unit Hardhat / Foundry Isolated function logic
Integration (local mock) Hardhat Interaction between own contracts
Integration (mainnet fork) Hardhat / Foundry Interaction with real protocols
Fuzzing Echidna, Foundry forge fuzz Invariant violations
Formal verification Certora Prover Mathematical properties

Tool Comparison: Foundry vs Hardhat

Foundry runs 200 tests in 15–30 seconds, Hardhat in 3–5 minutes. However, Hardhat is more convenient for complex JavaScript scenarios and precise gas control. We use both: Foundry for fast fuzzing, Hardhat for multi-step scenarios. Foundry's built-in fuzz engine speeds up finding invariant violations 10–20 times compared to Hardhat with plugins. For state trie checks, Foundry is 5 times faster. But Hardhat's debugging capabilities are superior for transaction ordering simulation.

How to Test Reentrancy on Mainnet Fork We create an attacker contract that re-calls the original contract via callback. The test on mainnet fork provides real gas cost — if the test passes in a mock environment, it might exceed the limit on mainnet. Example:
contract Attacker {
    IVulnerable target;
    constructor(IVulnerable _target) { target = _target; }
    function onERC721Received(address, address, uint256, bytes calldata) external returns(bytes4) {
        target.withdraw(); // recursive call
        return this.onERC721Received.selector;
    }
}
Typical Bugs Discovered in Projects 1. **Assumption about event order in a block.** If a contract uses `block.number` to calculate rewards, and two calls in the same block — `block.number` is the same for both. Need `block.timestamp` or a counter. 2. **Mocks instead of real tokens.** A mock token always returns `true` on `transfer()`. USDT on Ethereum does not return a value (does not comply with ERC-20). A mock test passes, deployment with USDT fails. 3. **Ignoring gas limit.** An integration test must measure gas consumption. If an aggregator calls 10 Curve pools in one transaction, it may hit the block gas limit (30 million gas). 4. **No tests for edge case tokens.** Fee-on-transfer (PAXG), rebase (stETH), pausable (USDC), blacklist — each category requires a separate test suite. Skimping on such tests leads to loss of funds.

What's Included and Timelines

  • Analysis of contracts and identification of critical paths.
  • Writing integration test suite with Foundry or Hardhat.
  • Execution on mainnet fork with fixed block number.
  • Documentation of found issues with recommendations.
  • Re-run after fixes (quality assurance).
  • Training of client's team on running and maintaining tests.

Timelines: integration testing of an existing protocol takes 2 to 5 working days depending on complexity. If tests are written in parallel with contracts — we allocate 30–40% of development time. Cost is calculated individually. Our team has 10+ years of blockchain development experience and has performed integration testing for 50+ DeFi protocols. With 5+ years focused on Ethereum security and 30+ successful audits, we bring deep expertise in oracle manipulation and chain reorg handling.

Get a consultation — we'll evaluate your project and suggest an optimal testing plan. Contact us to avoid costly mistakes in production. We guarantee the quality of every test.

Smart Contract Development

We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().

Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.

How We Develop Smart Contracts Turnkey

We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).

Language Execution Model Typical Domain Risks
Solidity 0.8.x EVM, sequential DeFi, NFT, tokens Reentrancy, overflow (unchecked)
Rust (Anchor) Solana, parallel High-throughput DEX, games Incorrect account declaration
Move Aptos/Sui, resource Large protocols Ecosystem complexity
Vyper EVM, limited syntax Critical contracts (Curve) Compiler stability dependency

Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.

Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.

Why Smart Contract Audit Is Critical for Security

Audit is not a one-time check—it is a built-in development stage. We use three levels:

  1. Static analysisSlither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
  2. Fuzzing and invariant testsFoundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
  3. Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.

Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.

What Upgrade Patterns Do We Choose?

Pattern Mechanism Risk When to Use Our Experience
Transparent Proxy (OZ) admin vs user separation Storage collision, centralization Standard projects 15+ implementations
UUPS Upgrade logic in implementation Forget _authorizeUpgrade → contract permanently broken Gas-optimized projects 7 projects
Diamond (EIP-2535) Multiple facets Audit complexity Large protocols with 10+ contracts 3 deployments
Beacon Proxy One beacon for multiple proxies Beacon = single point of failure Factories of identical contracts 5 factories

Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.

How to Protect a Contract from MEV and Front-Running

On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.

What Is the Development Process?

  1. Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
  2. Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
  3. Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
  4. External audit—for projects with real money. Timeline: 2–4 weeks.
  5. Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
  6. Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.

What Is Included

  • Architecture documentation and contract specification (NatSpec).
  • Source code with repository and CI (Slither, Foundry, coverage).
  • Deployed contract with verification on blockchain explorer.
  • Audit results (internal and external upon request).
  • Access to monitoring and management (Gnosis Safe).
  • Code warranty: critical bug fixes within one month after deployment.
  • Consultation on web integration (wagmi, RainbowKit).

Estimated Timelines

  • ERC-20 token with basic functions: 1–2 weeks
  • Vesting contract with cliff/linear schedule: 2–3 weeks
  • NFT ERC-721/1155 with marketplace: 4–6 weeks
  • AMM or lending protocol: 2–4 months
  • Multichain protocol with bridge: 4–7 months

Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.

Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.