Lesson 18: Testing Forta Bots (Unit Tests, Stateful Tests, and Fuzzing)

Security is about knowing that your detection logic works before it hits production.

Today’s meditation: How do you test a Forta bot like a true security monk?

---

Why Testing is important in Security Monitoring

A Forta bot is like a watchtower. If the lens is cracked or misaligned:

• You will miss real attacks (false negatives)

• Or you will spam alerts and drown signal in noise (false positives)

Testing ensures your bot does:

* Detect what it should
* Ignore what it must
* Handle edge cases like a pro

---

Three Types of Forta Bot Testing

---

1. Unit Testing with Jest

Jest is a Node.js test runner perfect for Forta bot logic.

Basic Example

const agent = require("./agent");

test("detects high ETH transfer", async () => {
  const txEvent = createTxEvent({
    from: "0x123",
    to: "0xabc",
    value: "2000000000000000000000" // 2000 ETH
  });

  const findings = await agent.handleTransaction(txEvent);
  expect(findings).toHaveLength(1);
  expect(findings[0].name).toEqual("High ETH Transfer");
});

Use mocks or sample events to simulate txs, blocks or logs.

---

2. Stateful Testing

Let’s say your bot tracks a wallet’s behavior over time.

You must simulate multiple blocks or txs:

const state = require("./store");

test("detects 5 swaps in 10 minutes", async () => {
  for (let i = 0; i < 5; i++) {
    const tx = createTxEvent({ from: "0xabc", timestamp: Date.now() + i * 60 });
    await agent.handleTransaction(tx);
  }
  const findings = await agent.handleTransaction(lastTx);
  expect(findings).toHaveLength(1);
});

It’s better to reset state before each test using beforeEach().

---

3. Fuzz Testing

This means feeding your bot many randomized inputs to:

• Catch rare edge cases

• Trigger uncaught exceptions

• Test performance under weird conditions

There’s no built-in tool for this, but you can write a script:

for (let i = 0; i < 1000; i++) {
  const val = Math.floor(Math.random() * 10 ** 24).toString();
  const tx = createTxEvent({ value: val });
  try {
    await agent.handleTransaction(tx);
  } catch (e) {
    console.error("Error on input:", val);
  }
}

Useful for simulating failures and strengthening system reliability.

---

Mocking Forta Events

You can use:

• forta-agent-tools helper library with TestTransactionEvent, etc.

• Custom helpers (createTxEvent, createBlockEvent) to simulate transaction and block events with fake data for testing purposes.

Example:

function createTxEvent(data) {
  return {
    from: data.from,
    to: data.to,
    value: data.value,
    chainId: 1
  };
}

---

Best Practices for Forta Bot Testing

You can try using jest --coverage to see which code paths your tests hit. The uncovered code is still untested code, and untested code is a security hole waiting to happen. Test as much as you can.

---

Key Concepts Recap

• Testing Forta bots protects you from false positives/negatives

• Use Jest for unit testing and mocking inputs

• Test stateful logic by simulating sequences over time

• Fuzz test with randomized data to break assumptions

• Automate all this in CI before deployment

Next lesson, we will look at gas usage optimization, making sure your bot doesn’t burn unnecessary ETH.

Until next meditation,
The Blockchain Security Monk