Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Auditing without Foundry in 2026 is like reverse engineering without Ghidra. Foundry's forge gives you fast fuzz, invariant, and fork tests; cast gives you arbitrary on-chain calls; chisel gives you a Solidity REPL. Modern audits are written as Foundry test suites — vulnerability proven by a failing assertion, fix proven by the same assertion now passing.
An audit finding in 2026 looks like a .t.sol file: function test_reentrancy_drain() public { vm.deal(attacker, 0); pool.deposit{value: 1 ether}(); ... assertGt(attacker.balance, 1 ether); }. The test IS the proof of vulnerability.
curl -L https://foundry.paradigm.xyz | bash && foundryup). Clone a deliberately-vulnerable repo (Damn Vulnerable DeFi). Run forge test. Watch a known exploit fire.invariant_*) that would have caught the bug even without a known PoC. Run with --fuzz-runs 100000.Use these three in order. Each builds on the one before.
In one paragraph, explain why Foundry replaced Hardhat for audit work.
Walk me through `vm.startPrank`, `vm.warp`, and `vm.deal` in a fork test.
Design a Foundry-based CI pipeline that runs your full invariant suite on every PR.
# Fork the target's deployment block
forge test --fork-url $RPC --fork-block-number 18900000 -vvv --match-test test_exploit
# Run the fuzzer for 4 hours on critical invariants
forge test --match-test invariant_ --fuzz-runs 100000
# Drop into chisel for a 1-shot Solidity question
chisel --fork-url $RPC