Skip to main content

Security Tools & Testing Infrastructure

This section covers the various tools and infrastructure available for securing and testing your Polkadot/Substrate-based system. These tools help catch issues early, validate functionality, and ensure system security.

Supply Chain Management

  • PSVM - A tool for managing your Polkadot dependencies in a precise and secure way.
  • Cargo Vet - A tool for auditing your Cargo.toml file to check if your dependencies are audited.
  • Cargo Audit - A tool for auditing your Cargo.lock file to check if your dependencies have any known vulnerabilities.

Static Analysers

Static analysis tools help catch common issues and enforce best practices without running the code:

  • Clippy - The official Rust linter that catches common mistakes and suggests improvements. Includes specific lints for Substrate/Polkadot development.
  • Dylint - A tool for running custom Rust lints, including specialized ones for runtime development and common security pitfalls.

Unit Testing

Tools for testing individual components in isolation:

  • XCM Simulator - Test cross-chain message passing logic in a controlled environment without full network setup.
  • Nextest - A modern, fast test runner for Rust with improved parallel test execution and better reporting.

Integration Testing

For testing multiple components working together:

  • XCM Emulator - Test cross-chain XCM interactions between multiple parachains and relay chains in a simulated environment.
  • Try Runtime - Test runtime upgrades and state transitions against real chain state without affecting the live network.

Fuzzing

Automated testing tools that generate random inputs to find edge cases and vulnerabilities:

  • Substrate Runtime Fuzzer - Integrate your runtime, and test everything at once.Supports multiple fuzzing engines:
    • AFL (American Fuzzy Lop) - Traditional coverage-guided fuzzing
    • Honggfuzz - Modern, multi-threaded fuzzing with hardware support

Find more information in the Fuzzing section.

E2E Testing

End-to-end testing tools for validating full system behavior:

  • Zombienet - A testing framework for spawning and testing Polkadot/Substrate networks, with SDK support for custom test scenarios.
  • Zombienet SDK - A library for building custom test scenarios for Zombienet in Rust.
  • Chopsticks - A mock execution environment for testing parachain logic against real network state.

Testnets

Public test networks for safely deploying and validating changes:

  • Rococo - The primary testnet for parachain teams, featuring regular resets and testing slots.
  • Westend - Long-running testnet that mirrors Polkadot's configuration, ideal for validator testing.
  • Paseo - Specialized testnet for testing specific features or scenarios.

Canary Network

Production environment for early detection of issues:

  • Kusama - The canary network for Polkadot, running new features in a real economic environment.

When to use each tool

Use this dependencies to tackle common vulnerabilities following this table as a guide:

VulnerabilityTools / Recommended
1. Insecure BenchmarkingFuzzing, E2E,Testnets, Canary Networks
2. Runtime MisconfigurationIntegration Testing, Fuzzing, E2E, Testnets, Canary Networks
3. Insecure RandomnessE2E, Testnets, Canary Networks
4. Unsafe MathAll (Using Release Build) / Fuzzing
5. Reachable PanicsAll (Using Release Build) / Fuzzing
6. Storage ExhaustionAll Tools Mentioned Before
7. Replay IssuesAll Tools Mentioned Before
8. Outdated CratesAll (Partially / Limited Scope) / Supply Chain Management
9. Data MishandlingAll Tools Mentioned Before
10. Inconsistent Error HandlingAll Tools Mentioned Before

Additional Resources

For detailed guides on using these tools, see the individual tool documentation in the following sections.