Skip to content

Instantly share code, notes, and snippets.

@mablr
Last active July 3, 2026 07:48
Show Gist options
  • Select an option

  • Save mablr/809cf667535362288280aa2304372673 to your computer and use it in GitHub Desktop.

Select an option

Save mablr/809cf667535362288280aa2304372673 to your computer and use it in GitHub Desktop.

Foundry v1.8.0

Foundry v1.8.0 is a testing-heavy release. It ships native symbolic testing, mutation testing, and major fuzzing and invariant improvements, while making isolate mode the default after a series of compatibility fixes. This release also ships the Rust foundryup, expands forge lint with a large set of security and gas detectors, and continues the structured CLI output work across Forge and Cast.

Highlights

Testing, Fuzzing, and Symbolic Execution

Testing is the main theme of v1.8.0. The release expands the ways Forge can find failures, make them reproducible, and turn them into smaller actionable counterexamples.

  • Native symbolic testing landed in Forge as a first-class testing mode (#14796). The follow-up work makes symbolic failures practical to consume: JSON result output, replayable counterexample artifacts, single-call and stateful artifact replay, minimized counterexamples, stateful counterexample minimization, and symbolic-to-fuzz corpus seeding (#15139, #15217, #15325, #15288, #15335, #15354).
  • Symbolic execution coverage and performance improved with support for KZG precompile witnesses, ADDMOD / MULMOD, Cancun SELFDESTRUCT semantics, selector pruning, deploy-code modeling, reduced execution overhead, byte-preserving solving, and dedicated symbolic benchmarks (#15157, #15172, #15179, #15180, #15374, #15395, #15396).
  • Mutation testing is now available in Forge, giving test suites a direct way to check whether assertions actually catch behavioral changes (#13091). The cycle also added mutation compiler overrides and fixed dynamic linking, Windows source-path normalization, and misleading score reporting while the feature was hardened (#15284, #15105, #15044, #15104).
  • Fuzzing now feeds itself better through invariant corpus seeding from observed calls, constant folding for common Solidity expressions, comparison-log sampling, configurable fuzzer ensemble defaults, validation of showmap override names, and safer enum input generation (#15220, #15189, #15234, #15235, #15410, #15375).
  • Corpus replay and coverage tooling improved with AFL showmap-style corpus replay, collision-free EVM edge coverage, comparison operand logging, faster showmap hit accumulation, bounded replay failure output, and scoped corpus-root coverage (#14675, #14853, #14801, #15279, #15414, #15412).
  • Invariant campaigns are faster and more scalable through campaign sharding, per-test-contract grouping, worker defaults derived from --jobs, reduced memory retention, better corpus finalization, cached dynamic target matches, and cheaper metric/log decoding (#14989, #14844, #15047, #15070, #15057, #15372, #15282).
  • --isolate is now the default for Forge tests, backed by compatibility fixes for cheatcodes, state diffs, SELFDESTRUCT, reverted creates, and the new vm.isIsolateMode() runtime check (#15226, #14493, #15382, #15385, #14637, #15411).
  • New forge fuzz commands make persisted corpora easier to use directly from the CLI: run, replay, show, select, and minimize fuzz cases without manually digging through corpus files (#14522, #15227, #15517).

Security Lints

forge lint gained a broad set of security, correctness, and gas detectors, with project-wide analysis support and nearly complete Slither/Aderyn parity.

Notable additions include:

  • arbitrary-send-eth, arbitrary-send-erc20, and arbitrary-send-erc20-permit (#14943, #14677, #15037).
  • reentrancy-eth, reentrancy-no-eth, and reentrancy-events (#14970, #15000, #14882).
  • controlled-delegatecall, delegatecall-loop, calls-loop, and return-bomb (#15046, #14752, #14778, #14793).
  • missing-events-access-control, missing-events-arithmetic, missing-zero-check, and event-fields (#14954, #14907, #14460, #14751).
  • incorrect-modifier, incorrect-exp, incorrect-strict-equality, type-based-tautology, and tautological-compare (#15201, #15213, #14749, #14697, #15203).

Tempo

Tempo support continued to mature after the v1.7.0 upstreaming work. The 1.8 cycle adds wallet sessions, receive-policy tooling, T5/T6 compatibility updates, richer trace/debugger decoding, and more complete Forge/Cast/Anvil integration.

  • Wallet sessions and access-key flows now cover Cast transaction commands, batch sends, Forge scripts, policy commands, session create/revoke flows, non-EOA KeyAuthorization signing, and cast keychain doctor (#15075, #15081, #15085, #15096, #14916, #14978, #14996, #14743, #14766).
  • Receive-policy and fee-token tooling landed across Cast and the shared provider stack, including receive-policy commands, T6 guards, resolved fee-token display, and on-chain fee-token symbol resolution (#15195, #15239, #15130, #15158, #15161).
  • T5/T6 includes T5 payment lane classification, implicit approval behavior and cheatcodes, channel reserve precompile support, T6 admin access-key authorization tooling, receive-policy receipt decoding, and local regression coverage (#15051, #15022, #15036, #15193, #15280, #15129, #15222, #15346).
  • Anvil and execution fixes cover Tempo fork coinbase selection, T5 hardfork selection, nonce lanes, valid-after checks, create expiry handling, and latest hardfork defaults in tests (#14964, #14997, #14896, #14469, #14912, #14850).
  • Trace and debugger support now decodes Tempo T5 surfaces and shows chain-aware precompile clues for Tempo-specific debugging (#15032, #15383).

Distribution and foundryup

The Rust foundryup is fully shipped in this release. Alongside the migration, release resolution was hardened to avoid GitHub API rate limits, skip unready nightly releases, preserve --path symlinks, create missing binary directories before activation, and mirror tag resolution consistently between install and use flows (#15337, #15148, #15356, #15370, #14908, #14968, #14611).

Release security also improved with signed archives, Docker image signing, and SBOM publishing (#14563).

Debugger and TUI

The debugger gained a shared TUI foundation, non-interactive fallback handling, layout selection, opcode search, storage access views, scoped variables, stack-word previews, gas stats, goto-PC support, and better precompile hints (#14710, #14720, #14725, #14780, #15171, #15211, #15218, #15141, #15140, #15100, #15049, #15379, #15383).

Forge can also emit EVM execution profiles for Speedscope via --evm-profile (#15394).

Structured CLI Output

Foundry continued the stdout/stderr and JSON-output cleanup started in earlier releases. Forge and Cast commands now use shared JSON envelopes more consistently, long-running Forge test JSON output can stream as NDJSON, and many commands moved prose/status text off stdout (#14716, #14727, #14774, #14775, #14899, #14909, #14918, #14986, #15021).

Breaking / Behavior Changes

Isolate Mode Is the Default

Forge tests now run in isolate mode by default (#15226). This is the main behavior change in v1.8.0: each test gets a cleaner execution boundary, making test results less dependent on accidental state shared across test cases.

The default flip landed after a series of compatibility fixes and hot fixes that made isolate mode viable for real projects:

  • vm.fee, vm.txGasPrice, and vm.blobhashes now work under isolate mode (#14493).
  • CREATE addresses and CreatedLocal state are preserved correctly across reverted isolated flows, including SELFDESTRUCT cases (#14637, #15385).
  • State-diff recording no longer warms slots or recorded cold accesses while recording, preserving cold-access semantics (#15382, #15404).
  • Invariant and fuzz replay paths gained follow-up fixes around persisted corpus entries and replay failure output (#15349, #15414).
  • vm.isIsolateMode() lets tests and helpers detect the effective isolation mode at runtime, including cases where another feature enables isolation for the run (#15411).

Projects with tests that depended on shared, non-isolated state should review failures under the new default. Use explicit configuration only when a suite intentionally depends on non-isolated behavior.

Other Behavior Changes

  • Invariant tests now assert all invariants by default through assert_all (#12587).
  • NPM package publishing was deprecated in this cycle (#14811).
  • forge lint includes info rules by default again (#15331).

Upgrade Notes

  • If you parse Forge or Cast stdout, check the relevant command output: many commands now keep primary structured output on stdout and move diagnostics/progress to stderr.
  • If you install through foundryup, the Rust implementation is now the shipped implementation for this release.

Benchmarks

https://www.getfoundry.sh/benchmarks

Other Notable Changes

Forge, Config, and Compilation

  • forge inspect can print contract artifact JSON (#15242).
  • vm.getCode can specify the compilation profile (#13191).
  • [profile.<name>.coverage] config sections are supported (#14599).
  • Contract size limits are configurable (#14761).
  • Solidity --experimental is supported through config (#15177).
  • Extended Vyper settings are exposed (#14739).
  • forge fmt preserves indentation for uninitialized state variables with override attributes (#15153).
  • Forge scripts now invalidate fork-cache entries after state-mutating vm.rpc and vm.rpcJson calls, fixing stale-state broadcast replays (#15507).

Verification

  • forge verify-contract can submit to Etherscan and Sourcify in one go (#15124).
  • Verification accepts SPDX identifiers and Etherscan license types (#15162, #14975).
  • Bytecode verification fixes cover canonical source paths, fork chain IDs, full-project compilation for path targets, and Sourcify fallback behavior (#15417, #15378, #15475, #14765).

Forge Doc and Chisel

  • forge doc was migrated from Solang to Solar and Vocs (#14447, #14568).
  • Chisel was migrated to Solar and now dispatches by EVM network (#14532, #14813).

Network and EVM Support

  • EIP-4788 beacon roots and EIP-2935 history storage are supported (#15371, #15406).
  • Amsterdam hardfork mapping was added and Osaka remains the default (#14683).
  • Optimism dependencies are now feature-gated across the workspace (#14572, #14577, #14581, #14593, #14596, #14600).

Anvil

Anvil gained a large RPC-compatibility pass:

  • New RPC support for eth_baseFee, eth_getHeaderByNumber, eth_getHeaderByHash, eth_pendingTransactions, eth_resend, txpool_contentFrom, receipt subscriptions, syncing subscriptions, create-access-list overrides, and access-list results for reverting calls (#15419, #15420, #15422, #15423, #15136, #15421, #15428, #15427, #15425, #14569).
  • Debug RPC additions for raw receipts, clearing the txpool, modified accounts by number, and freeing OS memory (#15433, #15429, #15468, #15458).
  • Safer state loading, block hash cache restoration, genesis number handling, transaction pooling, and numeric RPC parsing (#14624, #15167, #14488, #14891, #14650, #14658).
  • --fund-accounts, default JS tracer support, and better tracer config compatibility (#14392, #14745, #15199).

Full Changelog

v1.7.1...v1.8.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment