Deep Fuzz: Masternode List Deterministic Diffs

[thepastaclaw]

Deep Fuzz: Masternode List Deterministic Diffs

Parent: Fuzzing initiative (mega PR on ci/fuzz-regression)

Goal

Fuzz the deterministic masternode list diff computation — the mechanism SPV/light clients use to sync the MN list. An error here means light clients see a different MN list than full nodes, which is a consensus split for LLMQ-based features (ChainLocks, InstantSend).

Attack Surface

• CDeterministicMNManager::GetListDiffForBlock() — computes diffs between MN list states
• CDeterministicMNList::ApplyDiff() — applies diffs to reconstruct lists
• CSimplifiedMNListDiff serialization/deserialization — what goes over the wire
• ProRegTx/ProUpServTx/ProUpRegTx/ProUpRevTx application to the MN list

Harness Design

1. Initialize TestingSetup with a small deterministic MN list (10-20 masternodes)
2. Use FuzzedDataProvider to generate sequences of ProReg/ProUpServ/ProUpReg/ProUpRev transactions
3. Apply each transaction to the MN list, compute diff, apply diff to a second list
4. Assert both lists match (roundtrip consistency)
5. Also fuzz CSimplifiedMNListDiff deserialization with structured inputs

Corpus Strategy

• Chain data: Extract ProRegTx, ProUpServTx, ProUpRegTx, ProUpRevTx from mainnet (thousands available)
• Simulated: Construct valid MN registration sequences with known keys, then apply update/revoke sequences. Vary: operator key rotations, service address changes, payout address changes, revocation reasons
• Diff roundtrip: Serialize a known MN list state, compute diff, serialize diff, deserialize, apply — verify consistency

Checklist

• Study MN list management in src/evo/deterministicmns.cpp
• Study simplified MN list diff in src/evo/simplifiedmns.cpp
• Design harness with initial MN list population
• Extract ProReg/ProUp* TXs from mainnet for corpus
• Build structured MN operation sequence generator
• Write harness with diff roundtrip assertion
• Add to ci/fuzz-regression branch
• Push corpus to thepastaclaw/qa-assets

[thepastaclaw]

Starting work on tracker-335. Studying the codebase and existing fuzz targets.

Existing coverage found:

• deterministic_mn_list_diff.cpp — already has BuildDiff/ApplyDiff roundtrip harness
• deserialize_dash.cpp — deser targets for CSimplifiedMNListEntry, CGetSimplifiedMNListDiff, CSimplifiedMNListDiff
• roundtrip_dash.cpp — ser/deser roundtrip for all three

Work plan:

1. Enhance deterministic_mn_list_diff.cpp — expand state mutations from 4 fields to all 19 (operator key, voting key, service addr, payout, platform fields, revocation, etc.) + add Evo MN type
2. Create new simplified_mn_list_diff.cpp — structured fuzzer that builds CSimplifiedMNListDiff from deterministic list, tests application/reconstruction
3. Generate corpus seeds for both targets

Working in worktree worktrees/tracker-335 on branch fuzz/mn-list-diffs (based on origin/ci/fuzz-regression).

[thepastaclaw]

Work Complete

Branch: fuzz/mn-list-diffs on thepastaclaw/dash (based on origin/ci/fuzz-regression)
Commits: 2

Changes

1. test(fuzz): expand deterministic MN list diff state mutations (e75faf3af6)

File: src/test/fuzz/deterministic_mn_list_diff.cpp

Expanded state mutation coverage from 4 fields to 16:

• case 4: BLS operator key rotation (pubKeyOperator + nVersion)
• case 5: Voting key changes (keyIDVoting)
• case 6: Network info updates (netInfo)
• case 7: Payout script changes (scriptPayout)
• case 8: Operator payout script changes (scriptOperatorPayout)
• case 9: Revocation reasons (nRevocationReason)
• case 10: PoSe revive (nPoSeRevivedHeight)
• case 11: PoSe ban (BanIfNotBanned)
• case 12-14: Platform fields (platformNodeID, platformP2PPort, platformHTTPPort)
• case 15: Registration height (nRegisteredHeight)

Also added Evo MN type support — MakeMasternode() now accepts MnType parameter, and the fuzz loop randomly creates Regular or Evo masternodes.

2. test(fuzz): add simplified MN list diff structured fuzzer (1f7e520b61)

Files: src/test/fuzz/simplified_mn_list_diff.cpp (new), src/Makefile.test.include

New fuzz target for CSimplifiedMNListDiff — the P2P wire format light clients use. The harness:

1. Builds two deterministic MN lists with fuzz-driven operations
2. Constructs a CSimplifiedMNListDiff from the delta (deleted MNs + new/updated simplified entries)
3. Serializes → deserializes and verifies all fields match (roundtrip consistency)
4. Tests crash resistance with random byte deserialization

Build Verification

Both .o files compiled successfully with:

CC=clang CXX=clang++ ./configure --enable-fuzz --with-sanitizers=address,undefined --enable-suppress-external-warnings
make -C src -j8 test/fuzz/fuzz-deterministic_mn_list_diff.o test/fuzz/fuzz-simplified_mn_list_diff.o

(Full link with --with-sanitizers=address,fuzzer,undefined requires CI — local Apple clang doesn't support -fsanitize=fuzzer directly.)

Remaining from checklist

• Extract ProReg/ProUp* TXs from mainnet for corpus → requires mainnet chain data, deferred to corpus push phase
• Push corpus to thepastaclaw/qa-assets → deferred (needs generated seeds from actual fuzzer runs)

[thepastaclaw]

Reviewed and pushed to ci/fuzz-regression branch (PR dashpay/dash#7173). 2 commits: expanded state mutations (16 cases + Evo MN support) and new simplified_mn_list_diff structured fuzzer.