Audit Tools

Foundry

Foundry is a Solidity development and testing toolkit with Forge for tests, Cast for RPC calls, Anvil for local chains, and Chisel for a Solidity REPL.

Foundry is a fast toolkit auditors use to write Solidity tests and reproduce bugs.

Foundry Explained in Detail

Foundry is a toolkit for building, testing, and debugging Solidity projects. Auditors mainly use forge for tests, fuzzing, invariant tests, and exploit reproductions.

Foundry also includes cast for chain queries, anvil for local nodes, and chisel for quick Solidity experiments.

Smart contract example

forge test --match-test testWithdraw -vvvv

The -vvvv trace is often useful when debugging exploit paths.

Foundry in Auditing

Foundry makes it practical to turn audit ideas into executable tests. A good PoC is clearer than a long explanation, especially for reentrancy, oracle manipulation, and accounting bugs.

Auditors use Foundry to prove bugs, test fixes, and preserve regressions.

Red flags in code

  • The test suite covers only happy paths.

  • Fork tests do not pin a block number.

  • Mocks hide behavior from real integrations.

  • Fuzz failures are ignored instead of minimized and understood.

  • Invariants do not cover the protocol's core accounting.

How to test or review it

  • Run forge test before and after changes.

  • Use vm.prank, vm.expectRevert, vm.warp, and vm.roll for adversarial scenarios.

  • Add fuzz tests for input-heavy logic.

  • Add invariant tests for balances, shares, debt, and collateral.

  • Use fork tests for live protocol integrations.

Sources