The Benefit of Functional Test Suites

December 13, 2019
Quantstamp Labs

 The Benefit of Functional Test Suites

Quantstamp has audited close to 100 projects to date. In the audit reports we provide to our clients, we include a section that describes the quality of the test suite associated with that project and we often suggest improvements. Unfortunately, such recommendations are often overlooked as audits are performed close to the launch deadline, and significant time and effort are required to improve test suites. 

A comprehensive test suite covers all use cases and as much of the implemented functionality as possible, and is able to immediately detect changes in functionality and prevent bugs from being introduced into the master branch. On the other hand, a test suite that does not cover all business use cases may lead to the introduction of functionality bugs when making changes to the code. 

One such bug was recently introduced during our engagement with the rDai project. Quantstamp provided a non-security related suggestion to improve the maintainability of the code and save gas in the “Best Practices” section of the audit report, namely: “The statement on lines 645 and 648 can be brought before the if-statement on L640 and the else-clause could be then removed.” 

At first glance this seems like a natural optimization in the code (Note that the line numbers in our recommendation do not match those in the screenshot below because, by the time the screenshot was taken, other changes had been made to the code. Just add 26 to each of the line numbers above to obtain the line numbers in the screenshot):


However, this code change introduced a functional bug that allowed some interest to be leaked, because the `estimateAndRecollectLoans` function called another function that was dependent on the value of `account.hatID`. The rDai team conducted a preliminary analysis of this bug and found its impact to be limited due to the small number of addresses affected and because the total amount of leaked interest is quite small.

As mentioned in the “Code Coverage” section of the audit report the test suite did not have a high enough coverage, which we recommended be increased. Unfortunately, this recommendation was not addressed immediately, which also meant that this functional bug was not detected by any failing tests. We understand that most clients want to improve their functional test suites; however, they do not always have the capacity to do so. Therefore, we have decided to lend a helping hand.

Quantstamp now offers functional test suite development as a service. If you are developing a blockchain application, Quantstamp can provide you with a customized functional test suite that covers all business use cases for your application. 

The Process

In order to develop the tests, clients first need to provide us with documentation and diagrams that clearly depict the appropriate functional behaviors they expect to see in their application. For example, the rDai project provided us with the list below so we would have the necessary information to start developing a tailor made functional test. rDai is a project that allows users to generate interest off of their Dai and give that interest to a specific person or organization. 



Test flow for a single functional test in the rDai smart contracts:

Quantstamp then developed a functional test that matched the desired functional behaviors outlined by rDai (PR with the code is here https://github.com/rtoken-project/rtoken-contracts/pull/24). This test is able to detect a functional bug that may be introduced in subsequent code changes, e.g. if a change was made that allowed old hat recipients to continue accumulating interest, even though they were not supposed to, this test would fail indicating that a functional bug was introduced. 

The complex functional test described above is just an example and could be part of an entire test suite that Quantstamp is able to develop for your project. Quantstamp has also developed an additional test (see https://github.com/rtoken-project/rtoken-contracts/pull/29) for the rDai project, with the aim of covering functionality that was not covered by any other test in the test suite. If you are interested in learning more about the functional test suite development services offered by Quantstamp, click on the link below. 

This post was written by Quantstamp Senior Research Engineer Sebastian Banescu, Ph.D and Quantstamp Staff Writer Julian Martinez. 


--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.

Quantstamp Labs
December 13, 2019

 The Benefit of Functional Test Suites

Quantstamp has audited close to 100 projects to date. In the audit reports we provide to our clients, we include a section that describes the quality of the test suite associated with that project and we often suggest improvements. Unfortunately, such recommendations are often overlooked as audits are performed close to the launch deadline, and significant time and effort are required to improve test suites. 

A comprehensive test suite covers all use cases and as much of the implemented functionality as possible, and is able to immediately detect changes in functionality and prevent bugs from being introduced into the master branch. On the other hand, a test suite that does not cover all business use cases may lead to the introduction of functionality bugs when making changes to the code. 

One such bug was recently introduced during our engagement with the rDai project. Quantstamp provided a non-security related suggestion to improve the maintainability of the code and save gas in the “Best Practices” section of the audit report, namely: “The statement on lines 645 and 648 can be brought before the if-statement on L640 and the else-clause could be then removed.” 

At first glance this seems like a natural optimization in the code (Note that the line numbers in our recommendation do not match those in the screenshot below because, by the time the screenshot was taken, other changes had been made to the code. Just add 26 to each of the line numbers above to obtain the line numbers in the screenshot):


However, this code change introduced a functional bug that allowed some interest to be leaked, because the `estimateAndRecollectLoans` function called another function that was dependent on the value of `account.hatID`. The rDai team conducted a preliminary analysis of this bug and found its impact to be limited due to the small number of addresses affected and because the total amount of leaked interest is quite small.

As mentioned in the “Code Coverage” section of the audit report the test suite did not have a high enough coverage, which we recommended be increased. Unfortunately, this recommendation was not addressed immediately, which also meant that this functional bug was not detected by any failing tests. We understand that most clients want to improve their functional test suites; however, they do not always have the capacity to do so. Therefore, we have decided to lend a helping hand.

Quantstamp now offers functional test suite development as a service. If you are developing a blockchain application, Quantstamp can provide you with a customized functional test suite that covers all business use cases for your application. 

The Process

In order to develop the tests, clients first need to provide us with documentation and diagrams that clearly depict the appropriate functional behaviors they expect to see in their application. For example, the rDai project provided us with the list below so we would have the necessary information to start developing a tailor made functional test. rDai is a project that allows users to generate interest off of their Dai and give that interest to a specific person or organization. 



Test flow for a single functional test in the rDai smart contracts:

Quantstamp then developed a functional test that matched the desired functional behaviors outlined by rDai (PR with the code is here https://github.com/rtoken-project/rtoken-contracts/pull/24). This test is able to detect a functional bug that may be introduced in subsequent code changes, e.g. if a change was made that allowed old hat recipients to continue accumulating interest, even though they were not supposed to, this test would fail indicating that a functional bug was introduced. 

The complex functional test described above is just an example and could be part of an entire test suite that Quantstamp is able to develop for your project. Quantstamp has also developed an additional test (see https://github.com/rtoken-project/rtoken-contracts/pull/29) for the rDai project, with the aim of covering functionality that was not covered by any other test in the test suite. If you are interested in learning more about the functional test suite development services offered by Quantstamp, click on the link below. 

This post was written by Quantstamp Senior Research Engineer Sebastian Banescu, Ph.D and Quantstamp Staff Writer Julian Martinez. 


--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.

Interested in receiving Functional Test Suite Development Services from Quantstamp?
Learn More
Interested in receiving Functional Test Suite Development Services from Quantstamp?
Learn More
Quantstamp Announcements

Monthly Hacks Roundup: April 2024

April was a hectic month for the web3 security landscape, including significant rug pulls and security hacks totaling over $103 million in losses. Read on as we dive into three major security incidents and some of the trends from last month.

Read more
Quantstamp Announcements

Monthly Hacks Roundup: March 2024

March was a volatile month for the web3 security landscape, with significant security breaches totalling over $152 million in losses. Read on as we dive into four major security incidents and the trends from last month 👇

Read more
Quantstamp Announcements

Modular Account: How Audits Can Help Shape Standards And Catalyze Mass Adoption

Quantstamp recently conducted a smart contract audit for Alchemy’s Modular Account, a wallet implementation designed from the ground up for ERC-4337 and ERC-6900 compatibility including two plugins

Read more
Quantstamp
Services
AuditsInfrastructure AuditsEconomic ExploitsInsuranceDeFi Protection
Resources
Audit ReportsAudit Readiness Guide
About
BlogTeamMediaCareers
Quantstamp
Back to Top
Follow
YouTubeGitHubLinkedInX
Quantstamp logo

Request an Audit

Quantstamp works with a wide variety of teams ranging from new DeFi protocols to established enterprises. 

Share some details about what you’re building and someone from our team will reach out as soon as possible. We appreciate your interest and look forward to hearing about your project!

Close
We received your request successfully

Thank you for expressing your interest in a smart contract audit. You will receive a confirmation email from us and our team will be in touch with you within the next few days.

In the meantime, please consider getting your code and documentation ready in accordance with the Audit Readiness Checklist.

Close
Oops! Something went wrong while submitting the form.
Quantstamp logo

Contact Our Press Team

Are you interested in writing about Quantstamp or learning more about us? 

Fill out the form and we will contact you shortly. We look forward to meeting you.

High-caliber team
Stellar track record
Chain agnostic
Strategic partnerships
Close
We received your request successfully

Thank you for contacting our press team. We will get in touch with you in the next few days.

Close
Oops! Something went wrong while submitting the form.
Quantstamp logo

Contact Us

Let us know how you would like to collaborate with us.

Close
Success
We received your request successfully

Thank you for expressing your interest in Quantstamp. We will contact you as soon as we review your message.

Close
Oops! Something went wrong while submitting the form.