Home/Blockchain/Security Best Practices Game/Testing Auditing
โ†
Previous Module
Cross-chain Bridge Visual

๐Ÿ” Testing & Auditing: Quality Assurance

Discover how to test contracts and prepare for audits

Protect your dApp from common vulnerabilities

Your Progress

0 / 5 completed
1
2
3
4
5

๐Ÿ”ฌ Testing & Auditing

Code is guilty until proven secure. Even with secure patterns, bugs slip through. That's why production DeFi uses a 4-layer testing pyramid: unit tests (70-80% coverage), integration tests (multi-contract flows), fuzz testing (random inputs find edge cases), and formal verification (mathematical proofs). Then comes professional auditingโ€”external security firms (Trail of Bits, OpenZeppelin, Certora) spend 2-4 weeks trying to break your code. Top protocols pay $50k-200k per audit and run 2-3 audits from different firms. Finally, bug bounties ($10k-$1M+ rewards) incentivize whitehats to find bugs before blackhats. This section covers testing frameworks, audit checklists, and how to prepare for professional security reviews.

๐ŸŽฎ Interactive: Testing Pyramid

Explore the 4 layers of testing. Each layer catches different bug types with increasing thoroughness.

๐Ÿงช

Unit Tests

Test individual functions in isolation

๐Ÿ› ๏ธ Tools
HardhatFoundryTruffleWaffle
// Hardhat test example
const { expect } = require("chai");

describe("Token", function() {
  let token, owner, addr1;
  
  beforeEach(async function() {
    [owner, addr1] = await ethers.getSigners();
    const Token = await ethers.getContractFactory("Token");
    token = await Token.deploy();
  });
  
  it("Should transfer tokens correctly", async function() {
    await token.transfer(addr1.address, 100);
    expect(await token.balanceOf(addr1.address)).to.equal(100);
  });
  
  it("Should revert on insufficient balance", async function() {
    await expect(
      token.connect(addr1).transfer(owner.address, 1)
    ).to.be.revertedWith("Insufficient balance");
  });
  
  it("Should emit Transfer event", async function() {
    await expect(token.transfer(addr1.address, 100))
      .to.emit(token, "Transfer")
      .withArgs(owner.address, addr1.address, 100);
  });
});
โœ“ Benefits
  • โ€ข Fast feedback
  • โ€ข Catch basic bugs early
  • โ€ข CI/CD integration
  • โ€ข Free to run
โš ๏ธ Limitations
  • โ€ข Miss integration bugs
  • โ€ข Don't test unexpected inputs
  • โ€ข Limited to known scenarios

๐ŸŽฎ Interactive: Audit Checklist

Click each category to expand the audit checklist. These are questions auditors ask when reviewing your code.

๐Ÿข Professional Audit Firms

Trail of Bits

Top-tier firm, 2-4 week audits, $100k-200k. Audited Uniswap, Compound, Maker.

โœ“ Formal verification expertise
OpenZeppelin

Industry standard, maintains OZ Contracts. $50k-150k, 2-3 weeks.

โœ“ Best for ERC standards
Certora

Formal verification specialists. Prover tool + manual review. $80k-200k.

โœ“ Mathematical proofs
Consensys Diligence

Part of Consensys ecosystem. MythX automated tools + manual. $60k-150k.

โœ“ Automated + manual hybrid

๐Ÿ’ฐ Bug Bounty Programs

โ€ข
Immunefi: Leading DeFi bug bounty platform. Paid $65M+ to whitehats. Top programs offer $1M-$10M for critical bugs.
โ€ข
HackerOne: General platform with blockchain section. $500k max typical bounties. Slower response.
โ€ข
Code4rena: Competitive audit contests. $50k-200k prize pools, distributed among finders. Fast (1-2 weeks).
โ€ข
Severity Tiers: Critical ($100k-$1M), High ($50k-$100k), Medium ($10k-$50k), Low ($1k-$10k).