Smart Contract Testing for Dummies

Published at: April 10, 2020

Smart contracts are immutable programs: Once a contract is deployed, it cannot be altered. This allows users to be sure that the rules by which their funds are operated will not be changed. However, the same feature makes creating secure smart contracts extremely complicated. If you create a contract with a bug or vulnerability, it is there forever. That’s why testing is even more crucial for smart contracts than for traditional applications.

Related: What Are Smart Contracts? Guide for Beginners

Why testing is necessary

First, let’s clarify what problems tests can and cannot solve. For this purpose, let’s point out the following difference between bugs and vulnerabilities:

→ If an issue leads to a planned scenario not running, it is a bug.

→ If an issue leads to an unplanned scenario running, it is a vulnerability.

Tests do not prevent vulnerabilities. A vulnerability is by definition something unplanned, so you can’t take it into account at the testing stage. To deal with vulnerabilities, you need other tools and actions, which are described at the end of this article.

Tests help us make sure that all planned scenarios run as intended. In other words, tests help prevent bugs. This fact has several important consequences:

Rule of thumb: Every line of business logic must have a corresponding test. If you have a scenario in business logic, then you’ll have it in the code, which means you need to test it.The most important scenarios must be tested the most thoroughly. The scenarios that will be run by most users or that implement critical functionality require additional attention.Tests catch silly mistakes. Silly mistakes are made even by experienced developers and can be very dangerous.Tests are great for edge cases. What if a user tries to buy zero tokens? What if the number of users reaches the limit? These cases must be considered, and the best solution for this task is using tests.You need to have a detailed specification for your project to create tests. Let us discuss this point in more detail.

Specification

You cannot test a planned scenario if you don’t know what is planned. So, you need to create a specification.

This seems obvious, but many blockchain teams break this rule. They write a white paper, and after that, they immediately write code. This can and often does lead to incorrect implementation of the desired functionality. At some point, the team can even come to the conclusion that they themselves don’t understand how they want the system to behave. Moreover, the desired functionality might be not self-consistent and thus is unimplementable.

So, a specification is a must. This leads us to an interesting observation: When you start testing your code, you don’t just get tests. You have to improve your whole development procedure. You work more than you first expected, but you also benefit more.

Tools for testing

Testing is a whole separate branch of knowledge, so I am not going to cover it in one article. However, I will name the first necessary tools.

To test your smart contracts easily and correctly, you will need a testing framework. My colleagues recommend using one of the following: Truffle, Embark or Etherlime.

Also, you will need to measure test coverage. Test coverage is a percentage of the code that is covered by tests, so 100% coverage means that every bytecode instruction is tested. However, this is an ideal situation, not a real one. In practice, this number will always be below 100, depending on how many tests you create. Here are some of the most popular tools to measure test coverage: solidity-coverage and @0x/sol-coverage.

Related: Programming Languages Used in Blockchain, Explained

Expanding the context

So, if test coverage is 95% and I have tests for all the critical functions, I can consider my code secure, right? But the correct answer is, “Wrong!” Testing is only one of the necessary security procedures. Take a look at this diagram:

When you start writing your code, you first need to use a linter to make the code clear and readable. Then you need tests to make sure that all the planned scenarios work correctly. Then you run security tools to find standard and easily detectable vulnerabilities. After you remove them from the code, you can proceed to the external audit of the code. At every stage of development, the code design will be crucial for security as well as for usability.

All of these steps have their complications, but those are beyond the scope of this article.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Ivan Ivanitskiy is the chief analytics officer of SmartDec and co-host of the Basic Block podcast. He is an expert in application security, blockchain and smart contracts. Ivan is passionate about Bitcoin and curious about smart contracts.

Tags
Related Posts
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022
What is an Ethereum Virtual Machine (EVM) and how does it work?
Ether (ETH), which is the second largest cryptocurrency in terms of market capitalization, is popular among cryptocurrency investors because of its native ETH token. However, its native Solidity programming language and Ethereum Virtual Machine (EVM) are instrumental in the adulation it receives from the developer community. In fact, the Ethereum blockchain continues to attract decentralized application (DApp) developers due to its flexibility, the vast range of developer tools available and the platform’s large user base. Forming the core of the blockchain’s architecture, the EVM is the program that executes its application code or smart contracts, as they are called, providing …
Blockchain / Nov. 27, 2022
Overview of Software Wallets, the Easy Way to Store Crypto
Similar to a bank account for fiat currency, a crypto wallet is a personal interface for a cryptocurrency network that provides reliable storage and enables transactions. Whether a cryptocurrency is securely stored or not, much depends on the wallet, which is only as secure as its private keys. Wallets are generally either hot or cold. The funds in a hot wallet can be spent at any time, online. A cold wallet functions in contrast: not intended for regular cryptocurrency transactions, but funds can be received at any time. Wallets can also be divided into three groups: software, hardware and paper. …
Blockchain / March 29, 2020
Japanese Cybersecurity Group Debuts Blockchain Scan Tool, Partners With ConsenSys Diligence
A cybersecurity subsidiary of Japan’s Nomura Research Institute (NRI) unveiled a new blockchain security alert tool in a press release Nov. 8, also confirming a partnership with U.S. blockchain software company ConsenSys. With the tool, dubbed the “Blockchain Security Monitoring Service,” NRI SecureTechnologies (NRI ST) said it aimed to increase security in blockchain implementations, informing operators about “vulnerabilities.” The solution’s first outing will target smart contract weaknesses, the release says, while at the same time NRI ST will work with ConsenSys’ Diligence team on expanding its security offering. Last week, a group of researchers from two American universities found that …
Blockchain / Nov. 8, 2018
Web3 developer growth hits an all-time high as ecosystem matures
“Web3” may be one of the biggest buzzwords of 2022, but the idea of creating an entirely decentralized platform to host decentralized applications has long been a vision of the crypto community. While it’s notable that some blockchain companies began building out Web3 applications four or five years ago, the Web3 space has only started gaining traction recently. The recent growth of Web3 was highlighted in a new report from Electric Capital, a venture capital firm that has been investing in Web3 companies since 2018. The “Electric Capital 2021 Developer Report” analyzed data from nearly 500,000 code repositories and 160 …
Decentralization / Feb. 3, 2022