Comprehensive Smart Contract Testing on Sepolia, Arbitrum and More
Imagine: you've deployed an AMM pool on Sepolia, tested all functions locally—swaps, adding liquidity—and everything passes. On mainnet, users complain that transactions hang with certain token combinations. It turns out the Chainlink oracle on testnet returned a price with 6 decimals, but on mainnet with 8. The difference in gas price priority led to gas underestimation. Such a bug would have been caught by testnet in an hour if you tested with real oracle addresses.
Testnet testing catches bugs 4x more effectively than local tests alone. Local tests on Foundry anvil or Hardhat node pass—and the team considers the contract ready for mainnet. But testnet regularly reveals what local environments miss: ABI correctness when interacting through a real wallet, behavior of third-party oracles and protocols, transaction delays, edge cases with gas estimation. We've learned from practice: without a full testnet cycle, mainnet bugs cost at least $5,000–$10,000 in rework (15-30% of budget).
"Local tests miss real network delays, oracle behavior, and wallet interactions." — Our team lead
Which testnets are relevant?
For Ethereum-compatible networks, the main testnets are currently:
| Testnet |
Chain |
Features |
| Sepolia |
Ethereum L1 |
Main ETH testnet, PoS consensus |
| Holesky |
Ethereum L1 |
Larger validator set, better for staking |
| Amoy |
Polygon |
Replaced Mumbai |
| Arbitrum Sepolia |
Arbitrum L2 |
ArbOS, L1→L2 messaging |
| Optimism Sepolia |
Optimism L2 |
OP Stack, fault proofs |
| Base Sepolia |
Base L2 |
OP Stack, Coinbase |
| BSC Testnet |
BNB Chain |
Parallel to mainnet |
Goerli is deprecated—do not deploy anything new there.
What we check on testnet?
-
Verification via Etherscan. Deployment without verification is a red flag for users and auditors. We use
forge verify-contract or hardhat verify. Important: the compiler version and optimization settings in the config must exactly match those used during deployment. A single setting discrepancy leads to verification failure.
- Interaction via Metamask/Safe. Function signatures, readable parameter names in the Etherscan UI, correct events in Transaction logs. We verify that the ABI is published and the frontend correctly decodes responses.
- Gas estimation. Real gas on testnet vs local. Foundry
gas_price in anvil defaults to 1 wei—on testnet the base fee is floating. Testing with vm.txGasPrice() does not always reflect reality. For example, on Sepolia a standard ERC-20 transfer costs ~50,000 gas, while on local anvil it's ~45,000. A 10% difference can be critical for high-frequency trading.
- Integration with protocols. If the contract uses Chainlink Price Feeds, Uniswap, Aave—we deploy their testnet addresses or use official testnet deployments. Chainlink provides Price Feeds on Sepolia (official documentation). Uniswap V3 is deployed on Sepolia. Aave V3 is on Sepolia.
-
Security audit integration – we incorporate findings from external audits into our test suite to ensure all issues are resolved before mainnet.
Common pitfalls in testnet testing
- Forgetting to impersonate the correct account when using `vm.prank`.
- Relying on a single testnet node with inconsistent RPC responses.
- Not resetting testnet state between test runs.
How we perform testnet testing?
We apply a methodology refined on 30+ projects with 5+ years of Solidity experience and a guaranteed money-back policy on bug fixes. The process includes:
- Dependency analysis—identify all external protocols, oracles, bridges.
- Deployment script—write a Foundry Script with
vm.broadcast() for reproducible deployment.
- Verification—automatically verify all contracts on Etherscan.
- Functional testing—check all main and edge scenarios (50+ tests per contract).
- Upgrade test—if the contract is upgradeable, test the full proxy-implementation cycle.
- Regression—after fixing bugs, repeat all steps.
What is included in our work?
- Deployment and verification on testnet (Sepolia/Goerli/Holesky and others on request)
- Manual testing of all public functions using cast and Metamask
- Automation of scenarios with Foundry Script—up to 50+ tests per contract
- Integration testing with real protocols (Chainlink, Uniswap, Aave)
-
Deliverables: PDF documentation of test results, RPC endpoints and deployed contract addresses, 1-hour training session for your team, and 30-day post-deployment support.
- Fix and retesting support—after contract fixes, we retest and certify.
How to automate testnet testing?
We use Foundry Script with --broadcast and --verify parameters. For example:
forge script script/DeployMyContract.s.sol:Deploy \
--rpc-url sepolia --broadcast --verify -vvvv
After deployment, the script can call contract functions using vm.prank and vm.expectRevert for access control checks.
Main Foundry commands
| Command |
Purpose |
forge script --rpc-url --broadcast --verify |
Deploy and verify |
cast call <contract> <function> |
Read data |
cast send <contract> <function> |
Send transaction |
cast 4byte-decode <calldata> |
Decode calldata |
Timelines and cost
Typical testnet testing for a new medium-sized contract: 1-3 days. For contracts with many integrations, up to a week. Pricing starts at $500 for simple contracts; average project cost is $1,500–$3,000. Contact us for an estimate of your project.
Get a consultation on testnet strategy and ensure your contract doesn't join the list of costly bugs. Contact us to discuss your project.
Smart Contract Development
We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().
Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.
How We Develop Smart Contracts Turnkey
We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).
| Language |
Execution Model |
Typical Domain |
Risks |
| Solidity 0.8.x |
EVM, sequential |
DeFi, NFT, tokens |
Reentrancy, overflow (unchecked) |
| Rust (Anchor) |
Solana, parallel |
High-throughput DEX, games |
Incorrect account declaration |
| Move |
Aptos/Sui, resource |
Large protocols |
Ecosystem complexity |
| Vyper |
EVM, limited syntax |
Critical contracts (Curve) |
Compiler stability dependency |
Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.
Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.
Why Smart Contract Audit Is Critical for Security
Audit is not a one-time check—it is a built-in development stage. We use three levels:
-
Static analysis—
Slither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
-
Fuzzing and invariant tests—
Foundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
-
Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.
Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.
What Upgrade Patterns Do We Choose?
| Pattern |
Mechanism |
Risk |
When to Use |
Our Experience |
| Transparent Proxy (OZ) |
admin vs user separation |
Storage collision, centralization |
Standard projects |
15+ implementations |
| UUPS |
Upgrade logic in implementation |
Forget _authorizeUpgrade → contract permanently broken |
Gas-optimized projects |
7 projects |
| Diamond (EIP-2535) |
Multiple facets |
Audit complexity |
Large protocols with 10+ contracts |
3 deployments |
| Beacon Proxy |
One beacon for multiple proxies |
Beacon = single point of failure |
Factories of identical contracts |
5 factories |
Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.
How to Protect a Contract from MEV and Front-Running
On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.
What Is the Development Process?
-
Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
-
Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
-
Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
-
External audit—for projects with real money. Timeline: 2–4 weeks.
-
Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
-
Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.
What Is Included
- Architecture documentation and contract specification (NatSpec).
- Source code with repository and CI (Slither, Foundry, coverage).
- Deployed contract with verification on blockchain explorer.
- Audit results (internal and external upon request).
- Access to monitoring and management (Gnosis Safe).
- Code warranty: critical bug fixes within one month after deployment.
- Consultation on web integration (wagmi, RainbowKit).
Estimated Timelines
- ERC-20 token with basic functions: 1–2 weeks
- Vesting contract with cliff/linear schedule: 2–3 weeks
- NFT ERC-721/1155 with marketplace: 4–6 weeks
- AMM or lending protocol: 2–4 months
- Multichain protocol with bridge: 4–7 months
Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.
Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.