test(forge): add verification test for bytecode mismatch with incorrect source code

Author: Jds-23

crates/forge/tests/cli/verify_bytecode.rs

@@ -144,6 +144,60 @@ fn test_verify_bytecode_with_ignore(
         );
     }
 }
+
+#[expect(clippy::too_many_arguments)]
+fn test_verify_bytecode_mismatch(
+    prj: TestProject,
+    mut cmd: TestCommand,
+    addr: &str,
+    contract_name: &str,
+    source_code: &str,
+    config: Config,
+    verifier: &str,
+    verifier_url: &str,
+) {
+    let etherscan_key = next_etherscan_api_key();
+    let rpc_url = next_http_archive_rpc_url();
+
+    // Fetch real source code
+    let real_source = cmd
+        .cast_fuse()
+        .args(["source", addr, "--flatten", "--etherscan-api-key", &etherscan_key])
+        .assert_success()
+        .get_output()
+        .stdout_lossy();
+
+    prj.add_source(contract_name, &real_source);
+    prj.write_config(config);
+    // Build once with correct source (creates cache)
+    cmd.forge_fuse().arg("build").assert_success();
+
+    // Now replace with different incorrect source code
+    prj.add_source(contract_name, source_code);
+    let args = vec![
+        "verify-bytecode",
+        addr,
+        contract_name,
+        "--etherscan-api-key",
+        &etherscan_key,
+        "--verifier",
+        verifier,
+        "--verifier-url",
+        verifier_url,
+        "--rpc-url",
+        &rpc_url,
+    ];
+    let output = cmd.forge_fuse().args(args).assert_success().get_output().stderr_lossy();
+
+    // Verify that bytecode does NOT match (recompiled with incorrect source)
+    assert!(
+        output.contains(format!("Error: Creation code did not match").as_str()),
+    );
+    assert!(
+        output.contains(format!("Error: Runtime code did not match").as_str()),
+    );
+}
+
 forgetest_async!(can_verify_bytecode_no_metadata, |prj, cmd| {
     test_verify_bytecode(
         prj,
@@ -296,6 +350,37 @@ forgetest_async!(can_ignore_runtime, |prj, cmd| {
     );
 });
 
+// Test that verification fails when source code doesn't match deployed bytecode
+forgetest_async!(can_verify_bytecode_fails_on_source_mismatch, |prj, cmd| {
+    let modified_source = r#"
+contract SystemConfig {
+    uint256 public constant MODIFIED_VALUE = 999;
+
+    function someFunction() public pure returns (uint256) {
+        return MODIFIED_VALUE;
+    }
+}
+"#;
+
+    test_verify_bytecode_mismatch(
+        prj,
+        cmd,
+        "0xba2492e52F45651B60B8B38d4Ea5E2390C64Ffb1",
+        "SystemConfig",
+        modified_source,
+        Config {
+            evm_version: EvmVersion::London,
+            optimizer_runs: Some(999999),
+            optimizer: Some(true),
+            cbor_metadata: false,
+            bytecode_hash: BytecodeHash::None,
+            ..Default::default()
+        },
+        "etherscan",
+        "https://api.etherscan.io/v2/api?chainid=1",
+    );
+});
+
 // Test predeploy contracts
 // TODO: Add test utils for base such as basescan keys and alchemy keys.
 // WETH9 Predeploy