Fuzzing Bitcoin Core
Automated bug-hunting that keeps the most critical open-source software safe
WHAT IS FUZZING
Feed random and mutated inputs to software, looking for crashes, assertion failures, and memory errors. Coverage-guided fuzzers like libFuzzer track which code paths get exercised and mutate towards unexplored branches. It's probabilistic — 5,000 hours may find nothing, but the next 5,000 might uncover a critical bug.
244
Live harnesses
24/7
Continuous fuzzing
35+
Bugs found (bitcoinfuzz)
THE INFRASTRUCTURE
OSS-Fuzz (Google) runs libFuzzer, AFL, and Honggfuzz continuously with multiple sanitisers (ASan, MSan, UBSan). Brink funds and develops dedicated fuzzing infrastructure and research around Bitcoin Core and related projects. Shared seed corpora are coordinated via the
qa-assets repo. Targets cover deserialization, P2P messages, script evaluation, tx validation, AddrMan, BIP324, bloom filters, compact blocks, and wallet descriptors.
Bugs Found by Fuzzing
CVE-2024-35202 — COMPACT BLOCK CRASH
Found by dergoegge. A crafted
blocktxn message triggers FillBlock() twice, causing an assertion failure and remote node crash. State wasn't properly cleared after collision detection in compact block reconstruction. Affected all versions before v25.0 — 13.7% of nodes were still vulnerable at disclosure.BITCOINFUZZ — DIFFERENTIAL FUZZING
Compares behaviour of multiple Bitcoin implementations: Bitcoin Core, btcd, rust-bitcoin, rust-miniscript, Embit, Core Lightning, LND. Has found 35+ bugs across these projects. Discrepancies between Lightning implementations have driven clarifications to the LN spec itself.
THE FUZZOR DASHBOARD
Niklas Gögge's live dashboard visualises fuzzing activity, coverage metrics, and progress across Bitcoin's 244 live harnesses and hundreds of active campaigns. A window into the automated bug-hunting that runs 24/7 behind the scenes.
Fuzzamoto — Next-Gen Fuzzing
Fuzzing full node daemons through their external interfaces
THE LIMITATION OF TRADITIONAL FUZZING
Traditional fuzz harnesses test isolated components (a single function or module). They miss bugs that emerge from complex interactions between subsystems during real protocol operation.
1
Full-daemon fuzzing
Fuzzamoto fuzzes
bitcoind, btcd, and other full nodes through their P2P and RPC interfaces — testing the whole system, not just isolated functions.2
VM snapshot fuzzing
Runs target nodes in a special VM that can snapshot all state and quickly reset, avoiding expensive state setup/teardown each iteration.
3
Cross-implementation comparison
Same tests can target different implementations and compare their behaviour — Bitcoin Core vs btcd vs libbitcoin.
SECURITY AUDITOR VERDICT
Quarkslab's security audit called Fuzzamoto "likely the most valuable path to pursue in order to trigger deeper and more complex bugs." It has already discovered serious bugs that no existing test would have caught.