Comprehensive test checklist to identify failure points, race conditions, and unsafe assumptions before mainnet deployment.
Constraints:
- NO mainnet deployment
- NO gas spending
- Assume hostile or careless users
Test Cases:
-
During transaction signing: Disconnect wallet while MetaMask popup is open
- Expected: Transaction should be cancelled, UI should show disconnected state
- Risk: Transaction might be submitted with wrong account or fail silently
-
During transaction confirmation: Disconnect wallet while
tx.wait()is pending- Expected: Error should be caught, loading state cleared, user notified
- Risk: UI stuck in loading state, transaction state lost
-
During balance refresh: Disconnect wallet while fetching balance
- Expected: Error handled gracefully, balance shows 0 or "Disconnected"
- Risk: Stale balance displayed, incorrect UI state
Manual Test Steps:
- Connect wallet
- Start any transaction (staking, loan creation)
- While MetaMask popup is open, disconnect wallet in MetaMask
- Observe UI behavior and error messages
Test Cases:
-
Switch network during transaction signing
- Expected: Transaction should fail with clear error, page should reload
- Risk: Transaction sent to wrong network, funds lost
-
Switch network during
tx.wait()- Expected: Transaction wait should timeout or fail, error shown
- Risk: UI stuck waiting forever, transaction state unknown
-
Switch network while loading data (score, loans, staking info)
- Expected: Requests should be cancelled, error shown, or data cleared
- Risk: Stale data from wrong network displayed
Manual Test Steps:
- Connect wallet on QIE Testnet
- Start a transaction (e.g., stake tokens)
- While transaction is pending, switch to Ethereum Mainnet in MetaMask
- Observe error handling and UI state
Test Cases:
-
Switch account during transaction
- Expected: Transaction should fail (wrong signer), error shown
- Risk: Transaction sent from wrong account
-
Switch account while data is loading
- Expected: Data should refresh for new account, old data cleared
- Risk: Data from old account shown for new account
Manual Test Steps:
- Connect Account A
- Start loading score/loans
- Switch to Account B in MetaMask
- Verify data updates correctly
Test Cases:
-
Rapid button clicks: Click "Stake" or "Accept Offer" multiple times quickly
- Expected: Only one transaction submitted, button disabled during processing
- Risk: Multiple transactions, wasted gas, unexpected state
-
Transaction already pending: Try to submit another transaction while one is pending
- Expected: Second transaction blocked with clear message
- Risk: Multiple pending transactions, state confusion
Manual Test Steps:
- Click "Stake" button
- Immediately click again 5-10 times before MetaMask popup appears
- Verify only one transaction is created
Test Cases:
-
Slow RPC response: Simulate slow RPC (use network throttling)
- Expected: Transaction should timeout after reasonable time (30-60s), error shown
- Risk: UI stuck forever, user doesn't know transaction status
-
Transaction stuck in mempool: Transaction sent but never confirmed
- Expected: Timeout after 5 minutes, show transaction hash, allow retry
- Risk: User thinks transaction failed, but it's actually pending
Manual Test Steps:
- Use browser DevTools to throttle network to "Slow 3G"
- Submit a transaction
- Verify timeout handling and error messages
Test Cases:
-
Multiple simultaneous API calls: Load score, loans, staking info at same time
- Expected: All requests complete, no state corruption
- Risk: Last response overwrites earlier ones, wrong data shown
-
Component unmount during async: Navigate away while data is loading
- Expected: Requests cancelled, no memory leaks, no errors in console
- Risk: State updates on unmounted component, React warnings
Manual Test Steps:
- Connect wallet
- Rapidly navigate between Dashboard, Portfolio, Loans pages
- Check console for errors and warnings
Test Cases:
-
Negative amounts: Enter negative number for staking amount
- Expected: Validation error, transaction blocked
- Risk: Transaction might succeed with wrong amount
-
Zero amounts: Enter 0 for staking/loan amounts
- Expected: Validation error or clear message
- Risk: Transaction succeeds but does nothing
-
Extremely large amounts: Enter amount larger than balance
- Expected: Error before transaction, "Insufficient balance" message
- Risk: Transaction fails after user approval, wasted gas
-
Invalid characters: Enter non-numeric characters in amount fields
- Expected: Input rejected or sanitized
- Risk:
parseEtherthrows error, UI breaks
Manual Test Steps:
- Try to stake:
-100,0,999999999999,abc,1.5.5 - Verify validation and error messages
Test Cases:
-
Invalid signature format: Backend returns malformed signature
- Expected: Error caught, clear message to user
- Risk: Transaction sent with invalid signature, fails on-chain
-
Expired offer: Use old loan offer with expired timestamp
- Expected: Transaction should fail on-chain, error shown
- Risk: Old offer accepted, wrong terms
-
Signature for wrong network: Use testnet signature on mainnet
- Expected: Transaction fails, error shown
- Risk: Signature validation passes but wrong chain
Manual Test Steps:
- Generate loan offer
- Wait 5+ minutes (if expiry is short)
- Try to accept offer
- Verify expiry handling
Test Cases:
-
Very large amounts: Amounts that exceed JavaScript number precision
- Expected: BigInt used correctly, no precision loss
- Risk: Amounts rounded incorrectly, wrong transaction values
-
formatOffer division: ChatConsole divides by 1e18 (line 108-111)
- Expected: Handles BigInt correctly, no precision loss
- Risk: Amounts displayed incorrectly in UI
Manual Test Steps:
- Request loan for very large amount (e.g., 1e20 wei)
- Verify amounts displayed correctly in chat offer
- Verify transaction uses correct amount
Test Cases:
-
Primary RPC down: Disable primary RPC endpoint
- Expected: Automatic failover to backup RPC, no user-visible error
- Risk: All requests fail, app unusable
-
All RPCs down: Disable all RPC endpoints
- Expected: Clear error message, retry button
- Risk: Silent failures, confusing UX
Manual Test Steps:
- Block primary RPC in browser DevTools
- Try to load score or submit transaction
- Verify failover works
Test Cases:
-
Reload during transaction: Refresh page while transaction is pending
- Expected: Transaction continues in background, user can check status
- Risk: Transaction state lost, user doesn't know if it succeeded
-
Reload after network switch: Page auto-reloads on chain change
- Expected: Reload happens cleanly, no errors
- Risk: Reload during transaction, state corruption
Manual Test Steps:
- Submit transaction
- Immediately refresh page
- Check if transaction status is preserved
Test Cases:
-
RPC errors: Check all RPC error messages are user-friendly
- Expected: "Network error, please try again" not "ECONNREFUSED"
- Risk: Users confused by technical errors
-
Transaction failures: Check revert reasons are displayed
- Expected: "Insufficient balance" not "execution reverted"
- Risk: Users don't know why transaction failed
Manual Test Steps:
- Submit transaction with insufficient balance
- Verify error message is clear and actionable
Test Cases:
-
Loading indicators: All async operations show loading state
- Expected: Button disabled, spinner shown, text indicates action
- Risk: Users click multiple times, unclear if action is processing
-
Loading state cleanup: Loading state cleared on error
- Expected: Button re-enabled, spinner hidden, error shown
- Risk: UI stuck in loading state forever
Manual Test Steps:
- Submit transaction
- Cancel in MetaMask
- Verify loading state is cleared
Test Cases:
-
Database connection lost: Stop PostgreSQL
- Expected: Graceful error, 500 with clear message
- Risk: Unhandled exception, app crashes
-
RPC connection lost: Backend can't connect to blockchain
- Expected: Error logged, fallback RPC used, or clear error returned
- Risk: Silent failures, wrong data returned
Manual Test Steps:
- Stop backend database
- Try to generate score
- Verify error handling
Test Cases:
- Rapid API calls: Send 100 requests in 1 second
- Expected: Rate limit enforced, 429 errors returned
- Risk: Backend overloaded, DoS vulnerability
Manual Test Steps:
- Use browser console to send rapid API requests
- Verify rate limiting works
Test Cases:
-
SQL injection: Try SQL in address field (shouldn't work, but verify)
- Expected: Input sanitized, no SQL execution
- Risk: Database compromise
-
XSS attacks: Try script tags in chat messages
- Expected: Input sanitized, scripts not executed
- Risk: XSS vulnerability
-
Invalid addresses: Try non-address strings
- Expected: Validation error, request rejected
- Risk: Backend errors, data corruption
Manual Test Steps:
- Try to send chat message:
<script>alert('xss')</script> - Try to use address:
'; DROP TABLE users; -- - Verify sanitization
Test Cases:
- Reuse old signatures: Try to use signature from old offer
- Expected: Transaction fails (nonce/expiry check)
- Risk: Old offers accepted, wrong terms
Manual Test Steps:
- Generate loan offer (note signature)
- Generate new offer
- Try to use old signature with new offer
- Verify rejection
Date: _______________ Tester: _______________ Environment: Testnet / Mainnet (circle one)
| Test # | Status | Notes | Critical Issues Found |
|---|---|---|---|
| 1.1 | ⬜ Pass / ⬜ Fail | ||
| 1.2 | ⬜ Pass / ⬜ Fail | ||
| 1.3 | ⬜ Pass / ⬜ Fail | ||
| 2.1 | ⬜ Pass / ⬜ Fail | ||
| 2.2 | ⬜ Pass / ⬜ Fail | ||
| 2.3 | ⬜ Pass / ⬜ Fail | ||
| ... | ... | ... | ... |
List any critical issues discovered during testing:
All critical tests passed: ⬜ Yes / ⬜ No
Ready for mainnet: ⬜ Yes / ⬜ No