Zebra Coverage-Guided Fuzzing Infrastructure

robustfengbin · March 16, 2026, 12:32am

Hello everyone,

I am submitting a proposal to Zcash Community Grants (ZCG) to build a coverage-guided fuzzing infrastructure for Zebra, the Zcash Foundation’s Rust consensus node implementation.

This project focuses on systematically testing Zebra’s critical parsing, networking, and cryptographic components against malformed inputs, enabling continuous, automated discovery of security vulnerabilities and edge-case bugs.

Why This Matters

Zebra currently has zero fuzzing coverage. There are no fuzz targets, no cargo-fuzz configuration, and no OSS-Fuzz registration. After NU7, Zebra becomes the sole consensus node for the entire Zcash network. Any exploitable parsing or validation bug could compromise the network’s security and user funds.

For comparison, Bitcoin Core maintains a mature fuzzing infrastructure with over 100 fuzz targets and continuous OSS-Fuzz integration. Zcash, as a privacy-focused cryptocurrency, arguably requires even more rigorous testing, yet has none.

Project Overview

This proposal introduces a complete fuzzing infrastructure for Zebra that includes:

Fuzz targets for all major attack surfaces: transaction and block deserialization, P2P protocol parsing, RPC input handling, script and address parsing, note commitment tree operations, and Equihash verification
Seed corpora extracted from Zcash mainnet real data
CI integration with PR-level smoke fuzzing and nightly extended fuzzing campaigns via GitHub Actions
OSS-Fuzz submission, enrolling Zebra in Google’s continuous fuzzing service for 24/7 automated testing
Security reporting with structured crash triage, severity classification, reproduction steps, and fix recommendations

Technical Approach

The infrastructure is built on cargo-fuzz with the libFuzzer backend. For complex inputs, the arbitrary crate enables structured fuzzing. All targets run with AddressSanitizer and UndefinedBehaviorSanitizer for maximum bug detection.

Fuzz targets are prioritized by attack surface:

P0 (Critical): Transaction deserialization (v1 through v5+), block and header parsing, P2P message parsing
P1 (High): RPC input handling, script and address parsing, note commitment tree operations
P2 (Medium): Equihash verification, Orchard and Sapling serialization

Deliverables and Milestones

The proposal is structured into three milestones over 6 months:

Core Fuzzing Framework and Initial Targets — zebra-fuzz crate, 3+ fuzz targets for critical deserialization code, seed corpora from mainnet
Extended Targets, Corpus Optimization and CI — 7+ total fuzz targets, corpus minimization, GitHub Actions CI integration, coverage reporting
Security Analysis, OSS-Fuzz and Documentation — crash analysis report, OSS-Fuzz submission PR, documentation for community contributors, upstream PRs to Zebra

Budget

Startup Funding: $3,000 (infrastructure setup)
Milestones 1 through 3: $27,000 (engineering work)
Total: $30,000

Design Principles

Standalone: independent crate, no modifications to Zebra core code required
Sustainable: OSS-Fuzz integration ensures fuzzing continues indefinitely after project completion
Community-oriented: documentation enables anyone to add new fuzz targets as Zebra evolves

Full proposal details are available here:

github.com/ZcashCommunityGrants/zcashcommunitygrants

Zebra Coverage-Guided Fuzzing Infrastructure

opened 06:58AM - 15 Mar 26 UTC

robustfengbin

### Terms and Conditions - [x] I agree to the [Grant Agreement](https://9ba4718…c-5c73-47c3-a024-4fc4e5278803.usrfiles.com/ugd/9ba471_f81ef4e4b5f040038350270590eb2e42.pdf) terms if funded - [x] I agree to [Provide KYC information](https://9ba4718c-5c73-47c3-a024-4fc4e5278803.usrfiles.com/ugd/9ba471_7d9e73d16b584a61bae92282b208efc4.pdf) if funded above $50,000 USD - [x] I agree to disclose conflicts of interest - [x] I agree to adhere to the [Code of Conduct](https://forum.zcashcommunity.com/t/zcg-code-of-conduct/41787) and [Communication Guidelines](https://forum.zcashcommunity.com/t/zcg-communication-guidelines/44284) - [x] I understand all milestone deliverables will be validated and accepted by their intended users or their representatives, who will confirm that the deliverables meet the required quality, functionality, and usability for each user story. - [x] I agree that for any new open-source software, I will create a `CONTRIBUTING.md` file that reflects the high standards of Zcash development, using the [`librustzcash` style guides](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#styleguides) as a primary reference. - [x] I understand when contributing to existing Zcash code, I am required to adhere to the project specific contribution guidelines, paying close attention to any [merge](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#merge-workflow), [branch](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#branch-history), [pull request](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#pull-request-review), and [commit](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#commit-messages) guidelines as exemplified in the `librustzcash` repository. - [x] I agree to post request details on the [Community Forum](https://forum.zcashcommunity.com/c/grants/33) - [x] I understand it is my responsibility to post a link to this issue on the [Zcash Community Forums](https://forum.zcashcommunity.com/c/grants/33) after this application has been submitted so the community can give input. I understand this is required in order for ZCG to discuss and vote on this grant application. ### Application Owners (@Octocat, @Octocat1) robustfengbin ### Organization Name Independent Developer ### How did you learn about Zcash Community Grants The Zcash Community Forum, GitHub ### Requested Grant Amount (USD) 30000 ### Category Research & Development ### Project Lead ```project-lead.yaml Name: robust Role: Project Lead Background: Senior software engineer with over 15 years of experience building production-grade backend systems and developer tooling. Strong background in Rust, distributed systems, and blockchain infrastructure. Solid working knowledge of the Zcash protocol stack and practical experience with the Zebra node architecture. Responsibilities: - Overall project ownership and technical direction - System architecture and core fuzz target design decisions - Crash triage, severity assessment, and security analysis - Review and acceptance of all milestone deliverables - Coordination with Zcash Community Grants reviewers and community stakeholders ``` ### Additional Team Members ```team-members.yaml - Name: aic-larry Role: Rust Engineer Background: Experienced Rust developer with strong focus on systems programming, security testing, and fuzzing methodologies. Prior experience building coverage-guided fuzz testing infrastructure for Rust projects. Responsibilities: - Fuzz target implementation and harness development - Seed corpus extraction and corpus management - CI/CD integration and GitHub Actions workflow configuration - OSS-Fuzz project submission and integration - Writing unit tests, performance benchmarks, and documentation ``` ### Project Summary Build a comprehensive coverage-guided fuzzing infrastructure for Zebra, the Zcash Foundation's consensus node implementation. This project will create systematic fuzz targets for Zebra's critical parsing, networking, and cryptographic components, integrate them into CI, and submit the project to Google's OSS-Fuzz for continuous automated fuzzing. ### Project Description Zebra is the sole consensus node implementation for the Zcash network post-NU7. Despite this critical role, Zebra currently has zero fuzzing infrastructure — no `fuzz/` directory, no `cargo-fuzz` integration, and no presence in Google's OSS-Fuzz program. This project delivers a production-ready fuzzing infrastructure covering Zebra's most security-sensitive components: - **Transaction & Block deserialization** — the primary attack surface for any blockchain node - **P2P network protocol message parsing** — exposed to untrusted network input - **RPC interface input handling** — external-facing API surface - **Script and address parsing** — complex format validation logic - **Note commitment tree operations** — critical to shielded transaction integrity - **Equihash proof-of-work verification** — consensus-critical validation - **Orchard/Sapling serialization** — privacy-layer data handling The infrastructure uses `cargo-fuzz` with the libFuzzer backend for coverage-guided fuzzing, includes corpus management, CI integration via GitHub Actions, and a structured crash triage and reporting workflow. ### Proposed Problem Zebra has no systematic fuzzing, despite being the only Zcash consensus node after NU7. Key concerns: 1. Zero fuzzing coverage: Zebra's repository contains no fuzz targets, no `cargo-fuzz` configuration, and the project is not registered with OSS-Fuzz. A `grep` for `fuzz` in the codebase confirms the complete absence of fuzzing infrastructure. 2. Single point of failure: After NU7, Zebra becomes the sole consensus node for the entire Zcash network. Any exploitable parsing or validation bug could compromise the network's security and user funds. 3. Industry standard gap: Bitcoin Core maintains a mature fuzzing infrastructure with 100+ fuzz targets and continuous OSS-Fuzz integration. Zcash, as a privacy-focused cryptocurrency handling shielded transactions, arguably requires *more* rigorous testing — yet has none. 4. Complementary to audits: Least Authority has conducted code audits of Zebra, but audits and fuzzing serve fundamentally different purposes. Audits are point-in-time human reviews; fuzzing provides continuous, automated discovery of edge cases that human reviewers miss. These approaches are complementary, not redundant. 5. ZCG priority alignment: The ZCG Wishlist explicitly includes "Audits for updated Zcash software." Fuzzing is the most cost-effective form of continuous security testing and directly supports this priority. ### Proposed Solution A systematic, coverage-guided fuzzing infrastructure for Zebra that: 1. Targets high-risk attack surfaces — Prioritizes components that process untrusted input: deserialization, network protocol parsing, and RPC handling. 2. Uses industry-standard tooling — Built on `cargo-fuzz` (libFuzzer backend), the de facto standard for Rust fuzzing, ensuring compatibility with the broader ecosystem. 3. Manages corpora intelligently — Seeds initial corpora from real network data (valid transactions, blocks, protocol messages) and accumulates coverage-expanding inputs over time. 4. Integrates into CI — GitHub Actions workflows run fuzzing on every PR and perform extended nightly fuzzing runs, catching regressions before they reach production. 5. Submits to OSS-Fuzz — Google's free, continuous fuzzing service will provide 24/7 fuzzing with automatic bug filing and disclosure management. 6. Produces actionable security reports — Every crash is triaged, deduplicated, and reported with reproduction steps, severity assessment, and suggested fixes. ### Solution Format Deliverables: - Rust crate: `zebra-fuzz` — a standalone crate within the Zebra workspace containing all fuzz targets, corpus seeds, and helper utilities - CI configuration: GitHub Actions workflows for PR-level and nightly fuzzing - **OSS-Fuzz integration: Project configuration and Dockerfiles for submission to Google's OSS-Fuzz - Security reports: Detailed crash analysis reports with reproduction cases and severity ratings - Documentation: Guide for adding new fuzz targets, running fuzzing locally, and interpreting results ### Dependencies This project has no dependencies on the Zebra core team. All work is based on the public Zebra repository and uses Zebra's existing public APIs and data structures. We will submit upstream PRs but do not require core team involvement to complete deliverables. ### Technical Approach The project adopts a layered architecture designed for modularity, maintainability, and extensibility. ### Fuzzing Framework The infrastructure is built on `cargo-fuzz` with the libFuzzer backend for coverage-guided fuzzing. For modules where raw byte mutation is insufficient (e.g., structured protocol messages), we use the `arbitrary` crate for structured fuzzing. Coverage instrumentation is provided by LLVM's SanitizerCoverage. ### Fuzz Target Design Each fuzz target acts as a thin harness that feeds mutated input data into Zebra's parsing and validation functions. The harness captures panics, memory errors, and unexpected behavior. For simple deserialization targets, raw byte streams are fed directly into Zebra's `zcash_deserialize` methods. For complex inputs such as network protocol messages, structured fuzzing generates well-formed but edge-case inputs that exercise deeper code paths. ### Target Modules (Priority Order) Fuzz targets are organized by attack surface priority: - **P0 — Critical (untrusted network data)**: Transaction deserialization (all versions v1–v5+), block deserialization and header parsing, P2P network protocol message parsing - **P1 — High (external-facing)**: RPC interface input handling, script and address parsing (transparent and shielded), note commitment tree insert/remove operations - **P2 — Medium (consensus/privacy layer)**: Equihash proof-of-work solution verification, Orchard/Sapling serialization and deserialization ### Corpus Management Seed corpora are extracted from Zcash mainnet data — real transactions, blocks, and protocol messages — providing the fuzzer with realistic starting inputs. Corpus minimization is performed regularly to maintain efficient test sets while preserving maximum code coverage. A regression corpus is preserved for all discovered crashes to prevent regressions in future builds. ### CI Integration GitHub Actions workflows provide two levels of fuzzing integration: - **PR-level smoke fuzzing**: Short fuzzing runs on each pull request to catch obvious regressions before merge - **Nightly extended fuzzing**: Multi-hour fuzzing campaigns across all targets, running overnight to maximize coverage exploration ### Sanitizers All fuzz targets run with AddressSanitizer (ASan) for memory safety violation detection and UndefinedBehaviorSanitizer (UBSan) for catching undefined behavior in unsafe code blocks. ### Upstream Merge Opportunities All deliverables are designed for upstream integration into the main Zebra repository: - `zebra-fuzz` crate can be added as a workspace member - CI workflows follow Zebra's existing GitHub Actions patterns - OSS-Fuzz integration requires a one-time PR to the `google/oss-fuzz` repository - Fuzz targets serve as living documentation of expected input formats We will submit upstream PRs for all deliverables and work with maintainers on review. ### Hardware/Software Costs (USD) 3000 ### Hardware/Software Justification Infrastructure & Environment ($2,000) - Cloud compute instances for extended fuzzing campaigns (6 months) - Zebra node deployment for seed corpus extraction - Storage for chain data, corpora, and crash artifacts CI/CD ($700) - CI/CD pipeline configuration and compute - Automated nightly fuzzing execution - Reproducible build environment for fuzz targets Development Environment ($300) - Local development environment setup - Debugging, profiling, and coverage analysis tools ### Service Costs (USD) NO ### Service Costs Justification NO ### Compensation Costs (USD) 27000 ### Compensation Costs Justification Compensation covers engineering work over a 6-month period for a two-person team. - **Project Lead (robust)**: System architecture, core fuzz target design, crash triage and security analysis, code reviews, documentation, and coordination with ZCG. - **Rust Engineer (aic-larry)**: Fuzz target implementation, corpus management, CI integration, OSS-Fuzz submission, and performance optimization. Compensation is distributed evenly across milestones ($9,000 per milestone), with early milestones focusing on core infrastructure to reduce risk, followed by analysis and documentation in later phases. ### Total Budget (USD) 30000 ### Previous Funding No ### Previous Funding Details NO ### Other Funding Sources No ### Other Funding Sources Details _No response_ ### Implementation Risks Zebra API Isolation Complexity Some Zebra internal APIs may be tightly coupled, making it difficult to fuzz individual components in isolation. Mitigation: Use structured fuzzing with the arbitrary crate to generate well-typed inputs; create thin wrapper harnesses that isolate target functions from their dependencies. Low Crash Yield Due to Rust Memory Safety Rust's ownership model and memory safety guarantees may result in fewer crashes compared to C/C++ codebases. Mitigation: Focus on logic bugs, panics, resource exhaustion, and infinite loops rather than memory corruption. Use AddressSanitizer and UndefinedBehaviorSanitizer for unsafe code blocks where memory issues are still possible. Upstream PR Acceptance Timeline Submitted PRs to the Zebra repository may not be reviewed or merged within the project timeline. Mitigation: All deliverables are designed to function as a standalone fork. Upstream merge is a bonus outcome, not a blocker for milestone completion. Zebra Codebase Evolution Zebra's internal APIs may change during the 6-month project period. Mitigation: Track Zebra's main branch weekly; design fuzz targets against stable public APIs and deserialization interfaces that are unlikely to change. ### Potential Side Effects False Sense of Security Users may assume fuzzing catches all bugs, reducing manual review effort. Mitigation: Clear documentation that fuzzing is complementary to audits, not a replacement. Emphasize coverage limitations in security reports. Noise from Non-Critical Findings Fuzzing may surface panics or edge cases that are not security-relevant, creating noise for maintainers. Mitigation: Crash triage process with severity classification; only report confirmed security-relevant findings to maintainers; maintain separate tracking for low-priority issues. ### Success Metrics Functional Completeness - All planned fuzz targets operational with coverage-guided feedback - Seed corpora extracted and validated from mainnet data - CI integration running on every PR and nightly Security Impact - Number of unique crashes discovered and categorized by severity - Number of bugs reported to Zebra maintainers - Code coverage percentage achieved across target modules Community Adoption - OSS-Fuzz PR submitted and accepted - Upstream PRs submitted to Zebra repository - Documentation enables community contributors to add new fuzz targets independently ### Startup Funding (USD) 3000 ### Startup Funding Justification Startup funding covers essential infrastructure required to begin development and is included within the total requested grant amount. Primary uses: - Cloud environment initial setup for fuzzing campaigns - Zebra node deployment for seed corpus extraction - CI/CD pipeline configuration - Initial storage allocation for corpora and artifacts ### Milestone Details ```milestones.yaml Milestone 1 — Core Fuzzing Framework & Initial Targets - Amount (USD): $9,000 - Expected Completion Date: Month 2 User Stories - As a security researcher, I want systematic fuzz targets for Zebra's critical deserialization code - As a Zebra maintainer, I want automated detection of parsing bugs in transaction and block handling - As a node operator, I want assurance that network protocol parsing is tested against malformed inputs Deliverables - zebra-fuzz crate scaffolding with cargo-fuzz integration - Fuzz targets for transaction deserialization (all versions v1–v5+) - Fuzz targets for block deserialization and header parsing - Fuzz targets for P2P network protocol message parsing - Initial seed corpora extracted from Zcash mainnet data - Local fuzzing runner scripts and developer documentation - Preliminary crash triage for any findings Acceptance Criteria - 3 fuzz targets running with coverage-guided feedback - Seed corpora seeded from real mainnet data - Setup instructions documented and verified - Any discovered crashes triaged and reported Milestone 2 — Extended Targets, Corpus Optimization & CI - Amount (USD): $9,000 - Expected Completion Date: Month 4 User Stories - As a security researcher, I want comprehensive fuzzing coverage across all major Zebra attack surfaces - As a Zebra maintainer, I want CI integration that catches regressions automatically on every PR - As a developer, I want coverage metrics to understand which code paths are being tested Deliverables - Additional fuzz targets for RPC interface input handling - Fuzz targets for script and transparent/shielded address parsing - Fuzz targets for note commitment tree insert/remove operations - Fuzz targets for Equihash solution verification - Corpus optimization: minimization, deduplication, coverage analysis - GitHub Actions CI integration (PR-level smoke fuzzing and nightly extended runs) - Coverage reporting dashboard Acceptance Criteria - 7+ fuzz targets operational - CI pipelines running on PRs and nightly - Corpus coverage metrics tracked and reported - Corpus minimized and deduplicated Milestone 3 — Security Analysis, OSS-Fuzz & Documentation - Amount (USD): $9,000 - Expected Completion Date: Month 6 User Stories - As a Zebra maintainer, I want a comprehensive security report detailing all findings - As a community member, I want Zebra enrolled in OSS-Fuzz for continuous automated fuzzing - As a developer, I want documentation to add new fuzz targets as Zebra evolves Deliverables - Comprehensive crash analysis report with severity classifications - Reproduction steps for each finding - Suggested fixes and patches where applicable - OSS-Fuzz project submission (Dockerfile, build configuration, PR to google/oss-fuzz) - Final documentation (adding fuzz targets guide, corpus management, security recommendations) - Upstream PRs submitted to Zebra repository Acceptance Criteria - Security report delivered with all findings categorized - OSS-Fuzz PR submitted - All documentation complete and reviewed - Upstream PRs opened for Zebra repository Total Budget (USD): $30,000 - Startup Funding: $3,000 - Milestones (1-3): $27,000 - Total: $30,000 ``` ### Supporting Documents ```files.yaml ```

Thank you for your time and feedback.

Topic		Replies	Views
ILE Labs: Zcash Developer Testing & Automation Toolkit - $28K Request Applications	5	151	February 16, 2026
Zcash Community Grants Meeting Minutes 2/16/26 Community Grants Updates	1	216	February 23, 2026
Zebra 1.0.0 Stable Release Zebra	33	2429	March 10, 2024
We are flying blind on network topology. Introducing ZNodes (Live MVP) Applications	5	204	December 8, 2025
[Grant Update] Zcash Ecosystem Security Lead Community Grants Updates	40	2301	March 5, 2026

Zebra Coverage-Guided Fuzzing Infrastructure

Related topics