test(l1): add fuzzing tests and security workflows

[ManuelBilbao]

Motivation

Add more tests

Description

Add a fuzzing toolset that tests precompiles, trie, rlp, encoding/decoding.
Also added workflows to run the fuzzing tests and security checks

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

License Issues

tooling/Cargo.lock

Package	Version	License	Issue Type
libfuzzer-sys	0.4.10	(MIT OR Apache-2.0) AND NCSA	Incompatible License

Allowed Licenses:

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, Zlib, MPL-2.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 9 security policy file detected
actions/actions/upload-artifact	4.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits
actions/github/codeql-action/upload-sarif	3.*.*	Unknown	Unknown
cargo/arbitrary	1.4.2	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 8 Found 12/14 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/derive_arbitrary	1.4.2	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 8 Found 12/14 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/libfuzzer-sys	0.4.10	🟢 5.2	Details Check Score Reason Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/arbitrary	>= 1.0.0, < 2.0.0	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 8 Found 12/14 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/bytes	>= 1.6.0, < 2.0.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 7 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/ethereum-types	>= 0.15.1, < 0.16.0	🟢 6.6	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 20/22 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/libfuzzer-sys	>= 0.4.0, < 0.5.0	🟢 5.2	Details Check Score Reason Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/security.yaml
• crates/common/trie/Cargo.toml
• tooling/Cargo.lock
• tooling/fuzz/Cargo.toml

[Copilot]

Pull request overview

This pull request adds a comprehensive fuzzing infrastructure to ethrex, including fuzz targets for critical components and security-focused CI/CD workflows. The changes enhance the project's security posture through systematic testing of precompiles, RLP encoding/decoding, trie operations, and transaction/block parsing.

Key Changes:

• Added 11 fuzz targets covering RLP, trie, transactions, blocks, and all EVM precompiles (including BN254 and BLS12-381)
• Integrated property-based tests using proptest for RLP encode/decode roundtrip validation
• Added security workflows for dependency auditing, license checking, and unsafe code analysis
• Fixed Ethereum trie semantics to properly handle empty values in leaf nodes

Reviewed changes

Copilot reviewed 26 out of 28 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tooling/fuzz/Cargo.toml	Defines fuzzing package with 11 binary targets for different fuzzing scenarios
tooling/fuzz/.gitignore	Excludes fuzzing artifacts, corpus, and crash reports from version control
tooling/fuzz/README.md	Comprehensive documentation for running and managing fuzz targets
tooling/fuzz/fuzzers/*.rs	Fuzz targets for RLP, trie, transactions, blocks, and precompiles
tooling/Cargo.toml	Added fuzz package to workspace members
crates/common/trie/node/leaf.rs	Fixed empty value handling to match Ethereum trie semantics
crates/common/rlp/encode.rs	Added property-based roundtrip tests for RLP encoding
crates/common/rlp/decode.rs	Added property-based robustness tests for RLP decoding
Cargo.toml	Added testing dependencies (proptest, arbitrary, test-strategy)
deny.toml	Configuration for cargo-deny security and license checks
.github/workflows/security.yaml	Workflow for security audits, dependency checks, and unsafe code analysis
.github/workflows/fuzz.yaml	Weekly fuzzing runs and manual trigger support for all fuzz targets
.github/workflows/pr_proptest.yaml	Property tests for RLP and trie on relevant PRs
.github/workflows/pr_dependency_review.yaml	Dependency review for PRs modifying Cargo files

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Lines of code report

Total lines added: 1329
Total lines removed: 0
Total lines changed: 1329

Detailed view

+-----------------------------------------------------+-------+------+
| File                                                | Lines | Diff |
+-----------------------------------------------------+-------+------+
| ethrex/crates/common/rlp/decode.rs                  | 768   | +114 |
+-----------------------------------------------------+-------+------+
| ethrex/crates/common/rlp/encode.rs                  | 964   | +183 |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/block_decode.rs         | 7     | +7   |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/block_header_decode.rs  | 16    | +16  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/precompile_all.rs       | 55    | +55  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/precompile_bls12_381.rs | 411   | +411 |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/precompile_bn254.rs     | 168   | +168 |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/precompile_ecrecover.rs | 45    | +45  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/precompile_modexp.rs    | 84    | +84  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/rlp_decode.rs           | 26    | +26  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/rlp_roundtrip.rs        | 122   | +122 |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/transaction_decode.rs   | 34    | +34  |
+-----------------------------------------------------+-------+------+
| ethrex/tooling/fuzz/fuzzers/trie_operations.rs      | 64    | +64  |
+-----------------------------------------------------+-------+------+

[iovoid]

Why attempt to decode twice for each type? (L22-26, and here)

[iovoid]

This should probably be set somewhere above the EIP-7825 cap.

[iovoid]

We should probably use the same gas limit for all tests.