Unit Testing Smart Contracts: Foundry, Solidity, Full Coverage

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Unit Testing Smart Contracts: Foundry, Solidity, Full Coverage
Medium
~2-3 days
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1347
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    948
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

We often see projects going into an external audit with 20% test coverage — and receiving a 40-page report where half the errors could have been caught by a regular test suite. Our practice: write unit tests in parallel with contract development on Solidity using Foundry. This speeds up the cycle and reduces audit cost by up to 40%. A medium-complexity contract audit costs tens of thousands of dollars, and our tests help cut that amount by 30-40%. Request a consultation to evaluate your project.

But coverage alone is not the goal. 100% line coverage with zero branch coverage is an illusion of safety. Real case: a token contract with tests for transfer and mint, but no test for transfer(address(0), amount). On deployment, three days later — a bug with token loss. Line covered, branch not. This is a typical error in smart contract unit testing: testing only happy path.

Why Hardhat is Being Replaced by Foundry

Previously, most projects wrote tests in JavaScript via Hardhat + Chai. It worked. But Foundry changed the standard.

Speed. Foundry compiles and runs tests natively via an EVM implementation in Rust (revm). A test suite of 200 tests — 4-8 seconds versus 45-90 seconds on Hardhat. For TDD, this is crucial. Foundry is 5-10 times faster than Hardhat.

Fuzz testing out of the box. Any function with parameters becomes a fuzz test:

function testFuzz_transfer(address to, uint256 amount) public {
    vm.assume(to != address(0));
    vm.assume(amount <= token.balanceOf(alice));
    
    uint256 balanceBefore = token.balanceOf(to);
    vm.prank(alice);
    token.transfer(to, amount);
    
    assertEq(token.balanceOf(to), balanceBefore + amount);
}

Foundry runs this test 256 times (configurable) with different values. In our practice, fuzz tests found edge cases — overflow in reward calculation — that manual tests missed. Fuzz tests catch 60% more bugs than regular unit tests.

Cheatcodes. vm.prank, vm.warp, vm.roll, vm.deal — manipulate EVM state directly in Solidity tests. For example, vm.prank(alice) sets the caller to alice for the next call. This gives full control over the EVM in tests.

Compare: Hardhat requires writing tests in JS/TS, wrapping calls in promises, adding plugins for fuzz. Foundry offers everything out of the box in Solidity — less code, higher speed.

Test Suite Architecture

What to Test First

Don't start with happy path. Start with invariants: what should never be violated regardless of call order.

For an ERC-20 token: totalSupply == sum(balances), balanceOf(address(0)) == 0, allowance after approve == specified value. For a staking contract: totalStaked == sum(userStakes), rewards(user) >= 0.

Invariant tests in Foundry (forge test --match-test invariant) run sequences of random calls and check that invariants hold. This is more powerful than unit tests: it finds violations that only occur with a specific sequence of transactions.

Example: Testing an AMM Pool

For a liquidity pool with a swap function, we write an invariant: the product of reserves (x * y) must remain constant after a swap, accounting for the fee. Then fuzz tests generate random swap amounts and check that the invariant holds. If the contract has a rounding bug, fuzz will find it in seconds.

Test File Structure

contract TokenTest is Test {
    Token token;
    address alice = makeAddr("alice");
    address bob = makeAddr("bob");

    function setUp() public {
        token = new Token("Test", "TST", 1_000_000e18);
        deal(address(token), alice, 1000e18);
    }

    // Unit: specific scenario
    function test_transfer_reducesBalance() public {
        vm.prank(alice);
        token.transfer(bob, 100e18);
        assertEq(token.balanceOf(alice), 900e18);
        assertEq(token.balanceOf(bob), 100e18);
    }

    // Edge case
    function test_transfer_revertsOnInsufficientBalance() public {
        vm.prank(alice);
        vm.expectRevert();
        token.transfer(bob, 1001e18);
    }

    // Fuzz
    function testFuzz_transfer(uint256 amount) public {
        amount = bound(amount, 0, 1000e18);
        vm.prank(alice);
        token.transfer(bob, amount);
        assertEq(token.balanceOf(alice) + token.balanceOf(bob), 1000e18);
    }
}

Why Branch Coverage Matters More Than Line Coverage

forge coverage outputs line, branch, statement, and function coverage. We care primarily about branch coverage: each condition must be tested in both states.

Realistic coverage targets:

Contract Type Line Coverage Branch Coverage
Critical (vault, bridge) 95%+ 85%+
DeFi (lending, AMM) 90%+ 80%+
Auxiliary (utils, helpers) 80%+ 70%+
View-only contracts 75%+ 60%+

100% coverage for Solidity is hard to achieve — some branches for safety checks require violating EVM invariants, impossible in a test. But 85% branch coverage is achievable and sufficient for audit.

Foundry vs Hardhat Comparison

Criterion Foundry Hardhat
Test language Solidity JavaScript/TypeScript
Fuzz tests Built-in Via plugin
Speed for 200 tests 4-8 sec 45-90 sec
Cheatcodes Native Solidity JS wrappers

How We Write Tests: Step-by-Step Plan

  1. Analyze the contract: identify invariants, critical functions, and edge cases.
  2. Write invariant tests: verify that base assertions are not violated.
  3. Unit tests for each public method: cover happy path, edge cases, and reverts.
  4. Fuzz tests for input parameters: expand coverage with random values.
  5. Run forge coverage and analyze: achieve 85%+ branch coverage.
  6. Integrate into CI: tests run on every commit. Use GitHub Actions with forge test and forge coverage. Results are posted to Pull Requests.

What Is Included?

  • Full test suite on Foundry with unit tests, fuzz tests, and invariants.
  • Coverage report (line + branch) in HTML/PDF.
  • Test documentation: scenario descriptions, run instructions.
  • Team training on working with tests (2-hour workshop).
  • One month of post-delivery support: fix tests when contract changes.

Process and Timeline

We write tests in parallel with development. Typical volume: for every 100 lines of contract code — 150-300 lines of tests. For a contract of complexity level 2 (staking, vesting, simple AMM) — 2-3 business days for a full test suite with fuzzing. Timelines are discussed individually — contact us for a free project assessment.

Before delivery, we run forge test -vvv and forge coverage. The coverage report is provided alongside the code. If coverage drops below thresholds, we investigate the cause before deployment.

A quality test suite pays for itself by reducing audit time by tens of hours, saving thousands of dollars. Our clients save an average of 30-40% on audit budget thanks to such tests.

Over the years, we have tested more than 30 smart contracts for DeFi, NFT, and infrastructure. We guarantee that your contract will receive coverage sufficient to pass an audit. Get in touch for a free assessment of your project — we will determine the optimal test scope.

Smart Contract Development

We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().

Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.

How We Develop Smart Contracts Turnkey

We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).

Language Execution Model Typical Domain Risks
Solidity 0.8.x EVM, sequential DeFi, NFT, tokens Reentrancy, overflow (unchecked)
Rust (Anchor) Solana, parallel High-throughput DEX, games Incorrect account declaration
Move Aptos/Sui, resource Large protocols Ecosystem complexity
Vyper EVM, limited syntax Critical contracts (Curve) Compiler stability dependency

Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.

Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.

Why Smart Contract Audit Is Critical for Security

Audit is not a one-time check—it is a built-in development stage. We use three levels:

  1. Static analysisSlither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
  2. Fuzzing and invariant testsFoundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
  3. Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.

Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.

What Upgrade Patterns Do We Choose?

Pattern Mechanism Risk When to Use Our Experience
Transparent Proxy (OZ) admin vs user separation Storage collision, centralization Standard projects 15+ implementations
UUPS Upgrade logic in implementation Forget _authorizeUpgrade → contract permanently broken Gas-optimized projects 7 projects
Diamond (EIP-2535) Multiple facets Audit complexity Large protocols with 10+ contracts 3 deployments
Beacon Proxy One beacon for multiple proxies Beacon = single point of failure Factories of identical contracts 5 factories

Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.

How to Protect a Contract from MEV and Front-Running

On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.

What Is the Development Process?

  1. Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
  2. Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
  3. Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
  4. External audit—for projects with real money. Timeline: 2–4 weeks.
  5. Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
  6. Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.

What Is Included

  • Architecture documentation and contract specification (NatSpec).
  • Source code with repository and CI (Slither, Foundry, coverage).
  • Deployed contract with verification on blockchain explorer.
  • Audit results (internal and external upon request).
  • Access to monitoring and management (Gnosis Safe).
  • Code warranty: critical bug fixes within one month after deployment.
  • Consultation on web integration (wagmi, RainbowKit).

Estimated Timelines

  • ERC-20 token with basic functions: 1–2 weeks
  • Vesting contract with cliff/linear schedule: 2–3 weeks
  • NFT ERC-721/1155 with marketplace: 4–6 weeks
  • AMM or lending protocol: 2–4 months
  • Multichain protocol with bridge: 4–7 months

Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.

Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.