Dash Core Fuzzing Initiative — comprehensive fuzzing for all Dash-specific code

[thepastaclaw]

Dash Core Fuzzing Initiative — Epic Tracker

Goal: Comprehensive fuzzing coverage for all Dash-specific code. Currently 106 fuzz targets exist — all inherited from Bitcoin Core. Zero Dash-specific coverage across ~24,000 lines of consensus-critical code.

Full plan: ~/Projects/dash/FUZZING_PLAN.md

---

Sub-Issues

Phase 0: Prerequisites

• [CI] dashpay/dash#7161 — CDeterministicMN deleted constructor in fuzz target #109 — Fix CDeterministicMN deleted constructor in fuzz target → dashpay/dash#7161

Phase 1: Deserialization Fuzz Targets ✅

• Fuzz: build + run all Phase 1 deserialization targets #110 — Build + run all 43 deserialization targets — ✅ ALL PASS (0 crashes, 62.7M executions, 60s each, ASan+UBSan)
• Fuzz: triage + fix crashes from Phase 1 run #111 — Triage crashes — N/A, no crashes found
• PR: dashpay/dash#7161 — CI green, CodeRabbit feedback addressed, awaiting human review

Phase 2: Roundtrip (Serialize↔Deserialize) Fuzzing ✅

• Fuzz: Phase 2 — roundtrip serialize/deserialize targets #112 — Roundtrip consistency tests for all Phase 1 types
• PR: dashpay/dash#7162 — open, found CQuorumSnapshot serialization bug (fixed in commit 677f6aa86b)

Phase 3: Functional Fuzz Targets ✅

• Fuzz: BLS operations and IES encryption targets (Phase 3) #135 — BLS operations + IES encryption → dashpay/dash#7167
• Governance object parsing → dashpay/dash#7166
• Special transaction validation (CheckSpecialTx()) → dashpay/dash#7169
• Masternode list processing (CDeterministicMNManager with fuzzed diffs) → dashpay/dash#7170
• LLMQ message processing (commitment validation, DKG handling) → dashpay/dash#7172
• CoinJoin validation (denominations, queue, broadcast tx, entry, status) → dashpay/dash#7174
• Fuzz: asset lock/unlock validation targets #136 — Credit pool (asset lock/unlock validation) → dashpay/dash#7168

Phase 4: P2P Message Fuzzing ✅

• Dash-specific process_message targets (mnauth, qfcommit, qsigshare, clsig, islock, govobj, dsq, etc.) → dashpay/dash#7171

Phase 5-7: Infrastructure

• CI fuzz regression testing → dashpay/dash#7173 (tracker Fuzz: continuous fuzzing daemon + corpus + CI regression #169)
• Refactoring for fuzzability (extract pure functions where needed) → branch fuzz/tracker-108-refactor-fuzzability (commit 31f727568b)
• Corpus development (deterministic generator + manifest + docs) → branch tracker-108-oss-fuzz (commits 7dd416824f, 18a4209f92)
• OSS-Fuzz integration consideration (templates + build wrapper + docs) → branch tracker-108-oss-fuzz (commit 120e579af3)

---

Status

• Phase 0: ✅ Complete
• Phase 1: ✅ Complete — 43 deserialization targets, all pass clean (62.7M executions, 0 crashes)
• Phase 2: ✅ Complete — roundtrip targets, found + fixed CQuorumSnapshot serialization bug
• Phase 3: ✅ Complete — 7 functional target PRs covering BLS, governance, special TX, MN list, LLMQ, CoinJoin, credit pool
• Phase 4: ✅ Complete — Dash-specific process_message target covering 41 message types
• Phase 5-7: ✅ Complete — CI regression, corpus tooling, OSS-Fuzz scaffolding, and refactoring-for-fuzzability delivered
• Bugs found: 2 (CQuorumSnapshot serialization, CoinJoin IsTimeOutOfBounds signed overflow UB)
• Total new fuzz targets: ~60+ across all PRs
• PRs: #7161, #7162, #7166, #7167, #7168, #7169, #7170, #7171, #7172, #7173, #7174

[thepastaclaw]

Orphan recovery: issue was in-progress but no active worker found. Moving back to pending.

[thepastaclaw]

Phase 1 complete — PR opened: dashpay/dash#7161

42 deserialization fuzz targets for Dash-specific types across evo/ (16), llmq/ (12), governance/ (6), bls/ (2), and coinjoin/ (5).

Waiting on CI to confirm compilation in the linux64_fuzz configuration.

[thepastaclaw]

Done: dashpay/dash#7161

[thepastaclaw]

Reopening as mega tracker per Pasta. This stays open as the parent epic — individual work items get their own sub-issues linked here.