Audit Tools

Forge Test

A Forge test is a Solidity test written and run with Foundry's forge test framework.

A Forge test is a smart contract test written in Solidity.

Forge Test Explained in Detail

A Forge test is a Solidity contract that tests another Solidity contract. Foundry runs these tests with forge test and provides cheatcodes for changing caller, time, block number, storage, and expected reverts.

Forge tests are common in audits because exploit PoCs can be written close to the code being tested.

Smart contract example

function testWithdrawRevertsForZeroBalance() public {
    vm.expectRevert();
    vault.withdraw();
}

This test expects the withdrawal to fail.

Forge Test in Auditing

Forge tests help prove whether a suspected issue is real. They are useful for exploit reproduction, fix validation, fuzzing, invariant checks, and fork-based protocol simulations.

Auditors prefer tests that show attacker actions and final impact clearly.

Red flags in code

  • Tests assert no final state or balance changes.

  • Mocks hide important integration behavior.

  • Fork tests do not pin block numbers.

  • Negative cases and unauthorized callers are missing.

  • Fuzz tests exist but do not assert meaningful properties.

How to test or review it

  • Use vm.prank to test different callers.

  • Use vm.expectRevert for forbidden actions.

  • Use traces with -vvvv to debug exploit flow.

  • Add fuzz tests for input-heavy code.

  • Add regression tests for every fixed audit finding.

Sources