Audit Everything
The first time a test destroyed my “perfect” smart contract, it wasn’t a hacker. It was my own dev environment. I had just finished an AI‑assisted Solidity contract. Clean code. No compiler warnings. A few happy‑path tests passing.
Then I switched frameworks, hit one command… and watched a fuzz test tear it apart. Same contract. Same logic. Different tools.
That’s when it clicked:
How you develop and test your contracts (Hardhat, Foundry, static analyzers) matters almost as much as what you write.
This is Day 31 of the 60‑Day Web3 journey.
Why Dev Tools Matter More Now
By now in this series, you’ve:
Written and deployed simple contracts.Seen how bugs like reentrancy can drain real money.Watched AI generate “working” Solidity that still hides security traps.
The current reality:
Smart contract exploits still cost users hundreds of millions each year.Security standards like the OWASP Smart Contract Top 10 and audit firm guides push for tests, fuzzing, and static analysis, not just “it compiles.”Most serious teams use some mix of:A dev framework (Hardhat / Foundry)Automated tests (unit, integration, fuzz)Static analysis tools (Slither, Aderyn)
So if you’re learning Web3 today, you’re not just learning Solidity syntax. You’re learning a workflow.
Hardhat — The JavaScript Sidekick
Hardhat has been one of the default Ethereum dev tools for years, and it’s still heavily used.
Think of Hardhat as your full‑stack dev companion:
You write tests and scripts in JavaScript or TypeScript.You deploy contracts, fork mainnet, run tasks, and hook into frontend tooling.You get a big plugin ecosystem (Ethers.js, OpenZeppelin, gas reporters, coverage, etc.).
Why beginners and product teams love it:
If you come from web2 or React, JS/TS tests feel natural.It plays nicely with infra like MetaMask, Alchemy, and Infura.You can simulate real user flows using mainnet forking in local tests.
Weak spots:
Tests live in JS/TS while contracts live in Solidity. That context switch makes some people slower.Fuzzing and advanced testing are usually plugin‑based rather than built‑in.
Hardhat shines when:
You’re building a dApp with a frontend.You want rich tooling and integrations.You think in “product flows” as much as “raw Solidity.”
Foundry — The Solidity‑Native Power Tool
Foundry has quickly become a favorite for Solidity‑heavy and security‑minded work.
Think of Foundry as your high‑performance testing and security rig:
You write tests directly in Solidity.You run them with forge test.You get built‑in fuzzing, invariant tests, cheatcodes, and very fast compile times.
Key advantages:
Speed: Benchmarks show Foundry compiling and running tests several times faster than traditional JS‑based setups.Solidity‑first: No JS/TS layer; your tests are contracts. You stay in one language and think like the EVM.Security‑friendly: Fuzzing and invariants are first‑class, which is exactly what modern security guides recommend.
Why this matters after your last articles:
When you’re reviewing AI‑generated contracts, fuzz tests can hit weird inputs you would never think of.When you’re worried about reentrancy or logic bugs, invariants help you say: “No matter what inputs the fuzzer tries, total balances never go negative.”
Foundry shines when:
You care deeply about Solidity correctness and security.You’re okay living mostly in Solidity.You want to iterate on tests and contracts fast.
So… Hardhat or Foundry?
For most builders, the honest answer is often: both, depending on the job.
Use this mental model:
Hardhat = Product and integration focus
JS/TS tests, mainnet forking, plugin ecosystem, frontend/devops integrations.
Foundry = Solidity and security focus
Fast compile/test loop, Solidity tests, built‑in fuzzing & invariants.
You don’t have to marry one tool forever.
You can prototype and test core logic with Foundry.Then use Hardhat for deployment scripts, mainnet forks, and frontend integration.
For this 60‑day journey:
If you’re just getting comfortable with Solidity, starting with Foundry tests can actually teach you more Solidity faster.If you’re more comfortable in JS/TS, Hardhat is a gentle on‑ramp into smart contracts.
The real mistake isn’t picking the “wrong” framework.
It’s not using any framework seriously and relying only on Remix + hope.
Where Slither and Aderyn Fit:
On the last article, A medium follower, MihaiHng commented:
“Besides manual review checking for the CEI pattern to be respected, there are some static analysis tools that are very helpful, like Slither, Aderyn.”
He’s absolutely right.
Manual review + CEI is important…
…but modern security culture assumes you will miss things.
That’s where static analyzers come in:
Slither (by Trail of Bits)
One of the most widely used Solidity static analysis tools.Detects common vulnerabilities (including reentrancy, access control issues, and dangerous patterns) quickly.Integrates nicely into CI and with both Hardhat and Foundry projects.
Aderyn (by Cyfrin)
A modern static analyzer focused on Solidity projects.Has first‑class support for Foundry and Hardhat layouts.Can generate reports in JSON/Markdown/SARIF and plugs into VS Code for in‑editor feedback.
In a realistic workflow:
You write tests in Hardhat or Foundry.You run fuzzing/invariants for deeper coverage.You also run Slither/Aderyn to catch patterns humans and tests might miss.
A Dev Workflow You Can Copy
Here’s a lightweight process you can actually run on your next contract:
Prototype
Use AI (carefully) plus your own edits to draft the Solidity.Keep contracts small and focused.
Pick a framework
If you’re in JS land: Hardhat project, JS/TS tests.If you’re in Solidity land: Foundry project, Solidity tests.
Write basic tests
Happy‑path unit tests: deposits, withdrawals, state changes.A few “annoying user” cases (zero values, big values, repeated calls).
Add fuzzing / invariants
In Foundry: use built‑in fuzz tests and invariants.In Hardhat: add fuzzing via plugins or external tools if needed.
Run static analysis
Slither: quick scan for known bug patterns.Aderyn: extra detectors plus better integration with modern stacks.
Only then think about testnet / mainnet
After tests + fuzzing + static analysis are green, deploy to a testnet (like Sepolia).Share the address with your community for more eyes.
This is the kind of workflow audit firms and serious teams expect now.
Key Takeaway
The question isn’t “Hardhat or Foundry?”
It’s:
“How many layers of safety am I putting between my code and mainnet?”
Hardhat gives you rich JS/TS tooling and real‑world flows.
Foundry gives you speed, Solidity‑native tests, fuzzing, and invariants.
Slither and Aderyn give you automated eyes that never get tired.
Use whichever mix helps you:
Ship faster and safer.Catch AI‑introduced bugs before attackers do.Build the habits real Web3 teams already expect from a developer or DevRel.
Because in the end, no one will remember which framework you used.
They’ll remember whether your contracts stayed safe when it mattered.
What’s Coming Next
Today’s article zoomed out and asked:
“How do real‑world teams actually develop and test smart contracts?”
Tomorrow, the plan is to zoom back in and do this end‑to‑end on a real contract:
Take a small AI‑generated Solidity contract.Wrap it in a Foundry project.Add a handful of tests, then fuzzing and an invariant.Run Slither or Aderyn once and see what they catch before any testnet deploy.
Think of today as the map of the territory.
Tomorrow, we’ll walk a full path through it together, step by step.
Resources to Go Deeper
🔗 Solidity Docs — Security Considerations
Official language docs explaining why external calls are dangerous and how to structure state changes safely.
🔗 ConsenSys Diligence — Smart Contract Best Practices
Classic reference for the attack pattern, checks‑effects‑interactions, and common pitfalls.
🔗 OpenZeppelin Contracts — ReentrancyGuard
The de‑facto standard implementation of a reentrancy lock; perfect for understanding how to actually use the pattern.
🔗 Foundry Documentation
Complete guide to installing, testing with fuzz, invariants, and cheatcodes.
Follow the series on Medium | Twitter | Future
Jump into Web3ForHumans on Telegram and let’s build together.
The Test That Broke My “Perfect” Contract was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.