#+Title: How to Test Your Super App
#+Subtitle: Reactor Workshop 2022-07-05
#+Author: Miao, ZhiCheng (hellwolf) / Superfluid
#+Email: miao@superfluid.finance
#+OPTIONS: num:nil toc:nil timestamp:nil
#+REVEAL_THEME: night
#+REVEAL_TRANS: Concave
#+REVEAL_EXTRA_CSS: ../css/sf-slide-dark2022.css
#+REVEAL_TITLE_SLIDE_BACKGROUND: ../images/sf-slide-dark2022-bg1.png
#+REVEAL_DEFAULT_SLIDE_BACKGROUND: ../images/sf-slide-dark2022-bg1.png

#+begin_notes :revisions
|       Date | Notes            |
| 2022-07-05 | Reactor Workshop |
#+end_notes

* Testing Mindset
** Eat Your Vegetables
- Having higher confidence of things you built is rewarding.
- Anchoring your confidence in objective metrics is convincing.
- LoC of your testsuite, and test coverage percentages are good metrics.
#+ATTR_ORG: :width 480
#+ATTR_HTML: :width 60% :height 60%
[[file:EATVEGGIES.jpg]]
** Testing Is Productivity
*** Testsuite is your spec
- positive/happy cases
- negative cases (ownable/access control, bad inputs, etc.)
- non-functional cases (gas requirement e.g.)
*** Let testsuite help you
1. Early detection regression by frequently testing your code.
2. Don't let untested changes pile up.
3. Try to create a test case for new bug discovered.
*** No dogma: TIMTOWTDI
1. Always have an end to end testsuite for your quick and dirty project.
2. Use test coverage to guide you what needs to be tested more.
3. If time allows, do these:
  - Unit tests are guided missiles.
  - Fuzzing is carpet bombings.
** Security is Still About Testing
- Consider security as non-functional requirements.
- Different types of these requirements use different tooling for testing.

*** External dependencies
- [[https://en.wikipedia.org/wiki/Threat_model][Threat Modeling]].
- Keeping up with the news.
*** Complex state machines
- Use Echidna/[[https://github.com/superfluid-finance/protocol-monorepo/tree/dev/packages/hot-fuzz][hot-fuzz]] to discover hidden sequences.
*** Game theoratical/economics attacks
- Agent modeling and simulation.
*** Language and Virtual Machine Specifics
- Learn idomatic solidity programming styles: https://docs.openzeppelin.com/
- EVM expert knowledge.
* How Superfluid Protocol is Tested
** Tooling (Demo)
*** Truffle/Hardhat
- Full coverage of functional requirements
- Development trick: test focus ~it.only~
- Examine [[https://codecov.io/gh/superfluid-finance/protocol-monorepo/tree/dev/packages/ethereum-contracts/contracts][code coverage]]
*** Foundry
- Fuzzing for better unit testing
*** HotFuzz
- Protocol-level invariances and randomized sequences
* How Super App Can Be Tested
** Truffle/Hardhat vs Foundry
- Foundry Pros: faster feedback loop, native fuzzing support.
- Foundry Cons: no dapp-side code sharing, lacking mature test-tooling support.
- Truffle/Hardhat Pros: typescript/javascript lower learning curve, similar dapp-side code
- Truffle/Hardhat Cons: much slower, no native fuzzing support.
** Try hot-fuzz
** Demo
* Further Readings
- [[https://github.com/crytic/awesome-ethereum-security][Awesome Ethereum Security]]
- [[https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling][Microsoft Threat Modeling]]
- [[https://www.researchgate.net/publication/220116660_Tutorial_on_agent-based_modelling_and_simulation][Tutorial on agent-based modelling and simulation]]