Skip to content

Security Testing Overview

ClearPath implements comprehensive automated security testing and analysis for all smart contracts. This section documents the security testing tools, methodologies, and CI/CD automation.

Testing Layers

The security testing strategy includes multiple complementary approaches:

1. Unit Testing

Comprehensive test coverage using Hardhat with gas optimization and coverage reporting.

What it tests: - Functional correctness of individual contract methods - Edge cases and boundary conditions - Access control and permissions - Event emissions and state changes

2. Static Analysis

Automated vulnerability detection using Slither.

What it tests: - Common vulnerability patterns (reentrancy, overflow, etc.) - Code quality and best practices - Optimization opportunities - Dangerous constructs and anti-patterns

3. Symbolic Execution

Deep path exploration using Manticore.

What it tests: - All possible execution paths - Assertion violations - Integer overflow/underflow conditions - Complex multi-transaction scenarios

4. Fuzz Testing

Property-based testing using Medusa.

What it tests: - Contract invariants under random inputs - Unexpected behavior with edge case data - State consistency across multiple operations - Boundary violations and constraint breaking

CI/CD Automation

All security tests run automatically via GitHub Actions on:

  • Pull requests to main or develop branches
  • Direct pushes to protected branches
  • Weekly scheduled runs (Mondays at 00:00 UTC)
  • Manual workflow dispatch

Workflow: .github/workflows/security-testing.yml

Test Results

All test results are:

  • Uploaded as workflow artifacts (30-day retention)
  • Summarized in the GitHub Actions UI
  • Available for download and review

See the CI/CD Configuration page for details on maintaining and updating the automation.

Quick Start

# Run all unit tests
npm test

# Run tests with gas reporting
npm run test:gas

# Run coverage analysis
npm run test:coverage

# Run Slither analysis
slither . --config-file slither.config.json

# Run Manticore symbolic execution (using shell timeout)
timeout 300 manticore contracts/ProposalRegistry.sol --contract ProposalRegistry

# Run Medusa fuzzing
medusa fuzz --timeout 300

Security Best Practices

When developing smart contracts for ClearPath:

  1. Write comprehensive unit tests for all new functionality
  2. Add property tests for critical invariants
  3. Review static analysis results before merging
  4. Fix high and medium severity issues immediately
  5. Document security assumptions in code comments
  6. Follow OpenZeppelin patterns for common functionality

Additional Resources