Zebra Coverage-Guided Fuzzing Infrastructure

robustfengbin · March 16, 2026, 12:32am

Hello everyone,

I am submitting a proposal to Zcash Community Grants (ZCG) to build a coverage-guided fuzzing infrastructure for Zebra, the Zcash Foundation’s Rust consensus node implementation.

This project focuses on systematically testing Zebra’s critical parsing, networking, and cryptographic components against malformed inputs, enabling continuous, automated discovery of security vulnerabilities and edge-case bugs.

Why This Matters

Zebra currently has zero fuzzing coverage. There are no fuzz targets, no cargo-fuzz configuration, and no OSS-Fuzz registration. After NU7, Zebra becomes the sole consensus node for the entire Zcash network. Any exploitable parsing or validation bug could compromise the network’s security and user funds.

For comparison, Bitcoin Core maintains a mature fuzzing infrastructure with over 100 fuzz targets and continuous OSS-Fuzz integration. Zcash, as a privacy-focused cryptocurrency, arguably requires even more rigorous testing, yet has none.

Project Overview

This proposal introduces a complete fuzzing infrastructure for Zebra that includes:

Fuzz targets for all major attack surfaces: transaction and block deserialization, P2P protocol parsing, RPC input handling, script and address parsing, note commitment tree operations, and Equihash verification
Seed corpora extracted from Zcash mainnet real data
CI integration with PR-level smoke fuzzing and nightly extended fuzzing campaigns via GitHub Actions
OSS-Fuzz submission, enrolling Zebra in Google’s continuous fuzzing service for 24/7 automated testing
Security reporting with structured crash triage, severity classification, reproduction steps, and fix recommendations

Technical Approach

The infrastructure is built on cargo-fuzz with the libFuzzer backend. For complex inputs, the arbitrary crate enables structured fuzzing. All targets run with AddressSanitizer and UndefinedBehaviorSanitizer for maximum bug detection.

Fuzz targets are prioritized by attack surface:

P0 (Critical): Transaction deserialization (v1 through v5+), block and header parsing, P2P message parsing
P1 (High): RPC input handling, script and address parsing, note commitment tree operations
P2 (Medium): Equihash verification, Orchard and Sapling serialization

Deliverables and Milestones

The proposal is structured into three milestones over 6 months:

Core Fuzzing Framework and Initial Targets — zebra-fuzz crate, 3+ fuzz targets for critical deserialization code, seed corpora from mainnet
Extended Targets, Corpus Optimization and CI — 7+ total fuzz targets, corpus minimization, GitHub Actions CI integration, coverage reporting
Security Analysis, OSS-Fuzz and Documentation — crash analysis report, OSS-Fuzz submission PR, documentation for community contributors, upstream PRs to Zebra

Budget

Startup Funding: $3,000 (infrastructure setup)
Milestones 1 through 3: $27,000 (engineering work)
Total: $30,000

Design Principles

Standalone: independent crate, no modifications to Zebra core code required
Sustainable: OSS-Fuzz integration ensures fuzzing continues indefinitely after project completion
Community-oriented: documentation enables anyone to add new fuzz targets as Zebra evolves

Full proposal details are available here:

github.com/ZcashCommunityGrants/zcashcommunitygrants

Zebra Coverage-Guided Fuzzing Infrastructure

opened 06:58AM - 15 Mar 26 UTC

robustfengbin

### Terms and Conditions - [x] I agree to the [Grant Agreement](https://9ba4718…c-5c73-47c3-a024-4fc4e5278803.usrfiles.com/ugd/9ba471_f81ef4e4b5f040038350270590eb2e42.pdf) terms if funded - [x] I agree to [Provide KYC information](https://9ba4718c-5c73-47c3-a024-4fc4e5278803.usrfiles.com/ugd/9ba471_7d9e73d16b584a61bae92282b208efc4.pdf) if funded above $50,000 USD - [x] I agree to disclose conflicts of interest - [x] I agree to adhere to the [Code of Conduct](https://forum.zcashcommunity.com/t/zcg-code-of-conduct/41787) and [Communication Guidelines](https://forum.zcashcommunity.com/t/zcg-communication-guidelines/44284) - [x] I understand all milestone deliverables will be validated and accepted by their intended users or their representatives, who will confirm that the deliverables meet the required quality, functionality, and usability for each user story. - [x] I agree that for any new open-source software, I will create a `CONTRIBUTING.md` file that reflects the high standards of Zcash development, using the [`librustzcash` style guides](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#styleguides) as a primary reference. - [x] I understand when contributing to existing Zcash code, I am required to adhere to the project specific contribution guidelines, paying close attention to any [merge](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#merge-workflow), [branch](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#branch-history), [pull request](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#pull-request-review), and [commit](https://github.com/zcash/librustzcash/blob/main/CONTRIBUTING.md#commit-messages) guidelines as exemplified in the `librustzcash` repository. - [x] I agree to post request details on the [Community Forum](https://forum.zcashcommunity.com/c/grants/33) - [x] I understand it is my responsibility to post a link to this issue on the [Zcash Community Forums](https://forum.zcashcommunity.com/c/grants/33) after this application has been submitted so the community can give input. I understand this is required in order for ZCG to discuss and vote on this grant application. ### Application Owners (@Octocat, @Octocat1) robustfengbin ### Organization Name Independent Developer ### How did you learn about Zcash Community Grants The Zcash Community Forum, GitHub ### Requested Grant Amount (USD) 30000 ### Category Research & Development ### Project Lead ```project-lead.yaml Name: robust Role: Project Lead Background: Senior software engineer with over 15 years of experience building production-grade backend systems and developer tooling. Strong background in Rust, distributed systems, and blockchain infrastructure. Solid working knowledge of the Zcash protocol stack and practical experience with the Zebra node architecture. Responsibilities: - Overall project ownership and technical direction - System architecture and core fuzz target design decisions - Crash triage, severity assessment, and security analysis - Review and acceptance of all milestone deliverables - Coordination with Zcash Community Grants reviewers and community stakeholders ``` ### Additional Team Members ```team-members.yaml - Name: aic-larry Role: Rust Engineer Background: Experienced Rust developer with strong focus on systems programming, security testing, and fuzzing methodologies. Prior experience building coverage-guided fuzz testing infrastructure for Rust projects. Responsibilities: - Fuzz target implementation and harness development - Seed corpus extraction and corpus management - CI/CD integration and GitHub Actions workflow configuration - OSS-Fuzz project submission and integration - Writing unit tests, performance benchmarks, and documentation ``` ### Project Summary Build a comprehensive coverage-guided fuzzing infrastructure for Zebra, the Zcash Foundation's consensus node implementation. This project will create systematic fuzz targets for Zebra's critical parsing, networking, and cryptographic components, integrate them into CI, and submit the project to Google's OSS-Fuzz for continuous automated fuzzing. ### Project Description Zebra is the sole consensus node implementation for the Zcash network post-NU7. Despite this critical role, Zebra currently has zero fuzzing infrastructure — no `fuzz/` directory, no `cargo-fuzz` integration, and no presence in Google's OSS-Fuzz program. This project delivers a production-ready fuzzing infrastructure covering Zebra's most security-sensitive components: - **Transaction & Block deserialization** — the primary attack surface for any blockchain node - **P2P network protocol message parsing** — exposed to untrusted network input - **RPC interface input handling** — external-facing API surface - **Script and address parsing** — complex format validation logic - **Note commitment tree operations** — critical to shielded transaction integrity - **Equihash proof-of-work verification** — consensus-critical validation - **Orchard/Sapling serialization** — privacy-layer data handling The infrastructure uses `cargo-fuzz` with the libFuzzer backend for coverage-guided fuzzing, includes corpus management, CI integration via GitHub Actions, and a structured crash triage and reporting workflow. ### Proposed Problem Zebra has no systematic fuzzing, despite being the only Zcash consensus node after NU7. Key concerns: 1. Zero fuzzing coverage: Zebra's repository contains no fuzz targets, no `cargo-fuzz` configuration, and the project is not registered with OSS-Fuzz. A `grep` for `fuzz` in the codebase confirms the complete absence of fuzzing infrastructure. 2. Single point of failure: After NU7, Zebra becomes the sole consensus node for the entire Zcash network. Any exploitable parsing or validation bug could compromise the network's security and user funds. 3. Industry standard gap: Bitcoin Core maintains a mature fuzzing infrastructure with 100+ fuzz targets and continuous OSS-Fuzz integration. Zcash, as a privacy-focused cryptocurrency handling shielded transactions, arguably requires *more* rigorous testing — yet has none. 4. Complementary to audits: Least Authority has conducted code audits of Zebra, but audits and fuzzing serve fundamentally different purposes. Audits are point-in-time human reviews; fuzzing provides continuous, automated discovery of edge cases that human reviewers miss. These approaches are complementary, not redundant. 5. ZCG priority alignment: The ZCG Wishlist explicitly includes "Audits for updated Zcash software." Fuzzing is the most cost-effective form of continuous security testing and directly supports this priority. ### Proposed Solution A systematic, coverage-guided fuzzing infrastructure for Zebra that: 1. Targets high-risk attack surfaces — Prioritizes components that process untrusted input: deserialization, network protocol parsing, and RPC handling. 2. Uses industry-standard tooling — Built on `cargo-fuzz` (libFuzzer backend), the de facto standard for Rust fuzzing, ensuring compatibility with the broader ecosystem. 3. Manages corpora intelligently — Seeds initial corpora from real network data (valid transactions, blocks, protocol messages) and accumulates coverage-expanding inputs over time. 4. Integrates into CI — GitHub Actions workflows run fuzzing on every PR and perform extended nightly fuzzing runs, catching regressions before they reach production. 5. Submits to OSS-Fuzz — Google's free, continuous fuzzing service will provide 24/7 fuzzing with automatic bug filing and disclosure management. 6. Produces actionable security reports — Every crash is triaged, deduplicated, and reported with reproduction steps, severity assessment, and suggested fixes. ### Solution Format Deliverables: - Rust crate: `zebra-fuzz` — a standalone crate within the Zebra workspace containing all fuzz targets, corpus seeds, and helper utilities - CI configuration: GitHub Actions workflows for PR-level and nightly fuzzing - **OSS-Fuzz integration: Project configuration and Dockerfiles for submission to Google's OSS-Fuzz - Security reports: Detailed crash analysis reports with reproduction cases and severity ratings - Documentation: Guide for adding new fuzz targets, running fuzzing locally, and interpreting results ### Dependencies This project has no dependencies on the Zebra core team. All work is based on the public Zebra repository and uses Zebra's existing public APIs and data structures. We will submit upstream PRs but do not require core team involvement to complete deliverables. ### Technical Approach The project adopts a layered architecture designed for modularity, maintainability, and extensibility. ### Fuzzing Framework The infrastructure is built on `cargo-fuzz` with the libFuzzer backend for coverage-guided fuzzing. For modules where raw byte mutation is insufficient (e.g., structured protocol messages), we use the `arbitrary` crate for structured fuzzing. Coverage instrumentation is provided by LLVM's SanitizerCoverage. ### Fuzz Target Design Each fuzz target acts as a thin harness that feeds mutated input data into Zebra's parsing and validation functions. The harness captures panics, memory errors, and unexpected behavior. For simple deserialization targets, raw byte streams are fed directly into Zebra's `zcash_deserialize` methods. For complex inputs such as network protocol messages, structured fuzzing generates well-formed but edge-case inputs that exercise deeper code paths. ### Target Modules (Priority Order) Fuzz targets are organized by attack surface priority: - **P0 — Critical (untrusted network data)**: Transaction deserialization (all versions v1–v5+), block deserialization and header parsing, P2P network protocol message parsing - **P1 — High (external-facing)**: RPC interface input handling, script and address parsing (transparent and shielded), note commitment tree insert/remove operations - **P2 — Medium (consensus/privacy layer)**: Equihash proof-of-work solution verification, Orchard/Sapling serialization and deserialization ### Corpus Management Seed corpora are extracted from Zcash mainnet data — real transactions, blocks, and protocol messages — providing the fuzzer with realistic starting inputs. Corpus minimization is performed regularly to maintain efficient test sets while preserving maximum code coverage. A regression corpus is preserved for all discovered crashes to prevent regressions in future builds. ### CI Integration GitHub Actions workflows provide two levels of fuzzing integration: - **PR-level smoke fuzzing**: Short fuzzing runs on each pull request to catch obvious regressions before merge - **Nightly extended fuzzing**: Multi-hour fuzzing campaigns across all targets, running overnight to maximize coverage exploration ### Sanitizers All fuzz targets run with AddressSanitizer (ASan) for memory safety violation detection and UndefinedBehaviorSanitizer (UBSan) for catching undefined behavior in unsafe code blocks. ### Upstream Merge Opportunities All deliverables are designed for upstream integration into the main Zebra repository: - `zebra-fuzz` crate can be added as a workspace member - CI workflows follow Zebra's existing GitHub Actions patterns - OSS-Fuzz integration requires a one-time PR to the `google/oss-fuzz` repository - Fuzz targets serve as living documentation of expected input formats We will submit upstream PRs for all deliverables and work with maintainers on review. ### Hardware/Software Costs (USD) 3000 ### Hardware/Software Justification Infrastructure & Environment ($2,000) - Cloud compute instances for extended fuzzing campaigns (6 months) - Zebra node deployment for seed corpus extraction - Storage for chain data, corpora, and crash artifacts CI/CD ($700) - CI/CD pipeline configuration and compute - Automated nightly fuzzing execution - Reproducible build environment for fuzz targets Development Environment ($300) - Local development environment setup - Debugging, profiling, and coverage analysis tools ### Service Costs (USD) NO ### Service Costs Justification NO ### Compensation Costs (USD) 27000 ### Compensation Costs Justification Compensation covers engineering work over a 6-month period for a two-person team. - **Project Lead (robust)**: System architecture, core fuzz target design, crash triage and security analysis, code reviews, documentation, and coordination with ZCG. - **Rust Engineer (aic-larry)**: Fuzz target implementation, corpus management, CI integration, OSS-Fuzz submission, and performance optimization. Compensation is distributed evenly across milestones ($9,000 per milestone), with early milestones focusing on core infrastructure to reduce risk, followed by analysis and documentation in later phases. ### Total Budget (USD) 30000 ### Previous Funding No ### Previous Funding Details NO ### Other Funding Sources No ### Other Funding Sources Details _No response_ ### Implementation Risks Zebra API Isolation Complexity Some Zebra internal APIs may be tightly coupled, making it difficult to fuzz individual components in isolation. Mitigation: Use structured fuzzing with the arbitrary crate to generate well-typed inputs; create thin wrapper harnesses that isolate target functions from their dependencies. Low Crash Yield Due to Rust Memory Safety Rust's ownership model and memory safety guarantees may result in fewer crashes compared to C/C++ codebases. Mitigation: Focus on logic bugs, panics, resource exhaustion, and infinite loops rather than memory corruption. Use AddressSanitizer and UndefinedBehaviorSanitizer for unsafe code blocks where memory issues are still possible. Upstream PR Acceptance Timeline Submitted PRs to the Zebra repository may not be reviewed or merged within the project timeline. Mitigation: All deliverables are designed to function as a standalone fork. Upstream merge is a bonus outcome, not a blocker for milestone completion. Zebra Codebase Evolution Zebra's internal APIs may change during the 6-month project period. Mitigation: Track Zebra's main branch weekly; design fuzz targets against stable public APIs and deserialization interfaces that are unlikely to change. ### Potential Side Effects False Sense of Security Users may assume fuzzing catches all bugs, reducing manual review effort. Mitigation: Clear documentation that fuzzing is complementary to audits, not a replacement. Emphasize coverage limitations in security reports. Noise from Non-Critical Findings Fuzzing may surface panics or edge cases that are not security-relevant, creating noise for maintainers. Mitigation: Crash triage process with severity classification; only report confirmed security-relevant findings to maintainers; maintain separate tracking for low-priority issues. ### Success Metrics Functional Completeness - All planned fuzz targets operational with coverage-guided feedback - Seed corpora extracted and validated from mainnet data - CI integration running on every PR and nightly Security Impact - Number of unique crashes discovered and categorized by severity - Number of bugs reported to Zebra maintainers - Code coverage percentage achieved across target modules Community Adoption - OSS-Fuzz PR submitted and accepted - Upstream PRs submitted to Zebra repository - Documentation enables community contributors to add new fuzz targets independently ### Startup Funding (USD) 3000 ### Startup Funding Justification Startup funding covers essential infrastructure required to begin development and is included within the total requested grant amount. Primary uses: - Cloud environment initial setup for fuzzing campaigns - Zebra node deployment for seed corpus extraction - CI/CD pipeline configuration - Initial storage allocation for corpora and artifacts ### Milestone Details ```milestones.yaml Milestone 1 — Core Fuzzing Framework & Initial Targets - Amount (USD): $9,000 - Expected Completion Date: Month 2 User Stories - As a security researcher, I want systematic fuzz targets for Zebra's critical deserialization code - As a Zebra maintainer, I want automated detection of parsing bugs in transaction and block handling - As a node operator, I want assurance that network protocol parsing is tested against malformed inputs Deliverables - zebra-fuzz crate scaffolding with cargo-fuzz integration - Fuzz targets for transaction deserialization (all versions v1–v5+) - Fuzz targets for block deserialization and header parsing - Fuzz targets for P2P network protocol message parsing - Initial seed corpora extracted from Zcash mainnet data - Local fuzzing runner scripts and developer documentation - Preliminary crash triage for any findings Acceptance Criteria - 3 fuzz targets running with coverage-guided feedback - Seed corpora seeded from real mainnet data - Setup instructions documented and verified - Any discovered crashes triaged and reported Milestone 2 — Extended Targets, Corpus Optimization & CI - Amount (USD): $9,000 - Expected Completion Date: Month 4 User Stories - As a security researcher, I want comprehensive fuzzing coverage across all major Zebra attack surfaces - As a Zebra maintainer, I want CI integration that catches regressions automatically on every PR - As a developer, I want coverage metrics to understand which code paths are being tested Deliverables - Additional fuzz targets for RPC interface input handling - Fuzz targets for script and transparent/shielded address parsing - Fuzz targets for note commitment tree insert/remove operations - Fuzz targets for Equihash solution verification - Corpus optimization: minimization, deduplication, coverage analysis - GitHub Actions CI integration (PR-level smoke fuzzing and nightly extended runs) - Coverage reporting dashboard Acceptance Criteria - 7+ fuzz targets operational - CI pipelines running on PRs and nightly - Corpus coverage metrics tracked and reported - Corpus minimized and deduplicated Milestone 3 — Security Analysis, OSS-Fuzz & Documentation - Amount (USD): $9,000 - Expected Completion Date: Month 6 User Stories - As a Zebra maintainer, I want a comprehensive security report detailing all findings - As a community member, I want Zebra enrolled in OSS-Fuzz for continuous automated fuzzing - As a developer, I want documentation to add new fuzz targets as Zebra evolves Deliverables - Comprehensive crash analysis report with severity classifications - Reproduction steps for each finding - Suggested fixes and patches where applicable - OSS-Fuzz project submission (Dockerfile, build configuration, PR to google/oss-fuzz) - Final documentation (adding fuzz targets guide, corpus management, security recommendations) - Upstream PRs submitted to Zebra repository Acceptance Criteria - Security report delivered with all findings categorized - OSS-Fuzz PR submitted - All documentation complete and reviewed - Upstream PRs opened for Zebra repository Total Budget (USD): $30,000 - Startup Funding: $3,000 - Milestones (1-3): $27,000 - Total: $30,000 ``` ### Supporting Documents ```files.yaml ```

Thank you for your time and feedback.

Marek · March 20, 2026, 2:22pm

I’m supportive of this grant.

alchemydc · March 23, 2026, 5:13pm

Hi all,

I reviewed this proposal and am supportive, with a few concerns I’d like the committee and proposer to address.

What I Like

Right tool, right scope. The technical approach is sound. cargo-fuzz with libFuzzer is the standard Rust fuzzing toolchain, and the phased milestone structure and $30K budget are reasonable for the scope of work.

OSS-Fuzz submission is the highest-value deliverable. If accepted, Google provides 24/7 continuous fuzzing at zero ongoing cost to the ecosystem. This is where the long-term ROI lives.

Concerns

Proposer credibility gap on fuzzing specifically. The proposer’s GitHub shows meaningful Rust experience, but I found no public evidence of fuzzing work. No fuzz targets, no crash triage, no OSS-Fuzz contributions. I also could not locate a GitHub profile for the co-proposer (aic-larry), who is listed as the primary implementer. The proposer appears to be using Claude Code (based on CLAUDE.md in their pinned repo), which is fine for development but makes it harder to evaluate their independent depth on security analysis and crash triage.

OSS-Fuzz acceptance is not guaranteed, and that changes the value equation. Google’s bar for inclusion is high. Projects must have a significant user base or be critical to global IT infrastructure. If Zebra is not accepted, the fuzzing infrastructure still has value, but becomes a material ongoing cost center (CI compute, corpus maintenance, someone to monitor and triage results). I’d recommend ZCG structure payment so that a meaningful portion of milestone 3 funding is gated on OSS-Fuzz submission acceptance, giving the proposers strong incentive to build a compelling case for inclusion.

Crash triage and severity assessment need more detail. Fuzzing safe Rust code will likely surface many panics and edge cases that are not security-critical. These are still worth fixing, but someone needs to distinguish “consensus node crashes on malformed input from an adversarial peer” from “unreachable panic in a rarely-exercised code path.” It’s not clear to me that the team has experience making these determinations in a consensus-node context. I’d like to see the proposer describe their triage framework and, ideally, point to prior experience assessing bug severity.

Recommendations

Request a proof-of-concept: A single working fuzz target against Zebra’s transaction deserialization, before full grant approval. This would materially de-risk the grant.
Require a GitHub profile or portfolio for aic-larry so the committee can vet the primary implementer.
Gate a portion of milestone 3 on OSS-Fuzz acceptance to align incentives with the proposal’s highest-value deliverable. The proposer obviously can’t control Google’s decision here, but the committee can align incentives such that the proposer makes a compelling case for inclusion in the OSS-Fuzz program.

robustfengbin · March 24, 2026, 6:39am

Hi alchemydc, thank you for the thoughtful feedback and support. I want to address your concerns — and share an important update.

Update first: Since posting our proposal, we’ve continued our PoC work and our deep fuzzing methodology has already uncovered a security issue that we’ve reported to the Zcash Foundation through Zebra’s official responsible disclosure process (GitHub Security Advisory, per Zebra’s SECURITY.md). We can’t share details until the disclosure process completes, but we believe this early finding validates both our approach and our team’s ability to deliver real security value.

Now to your specific points:

1. Team experience and aic-larry

aic-larry has been my long-term Rust development partner. We’ve built production cryptocurrency trading systems together — market-making and arbitrage on Binance Futures, Hyperliquid, Lighter, and Uniswap. These are systems handling real capital where bugs mean real losses, so code correctness and security are ingrained in how we work. Due to the commercially sensitive nature of quantitative trading, these projects live in private repositories — standard practice in this industry.

On the AI tooling question (CLAUDE.md in our repo): yes, we use AI assistants as part of our development workflow. We see this as a strength, not a weakness — AI-assisted fuzzing harness design and code path analysis significantly accelerates our work. The security judgment, methodology design, and responsible disclosure process are all human-driven.

Rather than profiles, I’d point to results: our deep fuzzing approach found a reportable security issue within the first day of deploying our new multi-layer harness methodology. That’s what matters.

2. OSS-Fuzz and M3 funding

Fair concern. We propose splitting M3 ($9,000):

$6,000 (fixed): Complete OSS-Fuzz integration PR (fuzz targets, Dockerfile, project.yaml), standalone CI fuzzing pipeline, curated seed corpus, and documentation. This is real engineering work regardless of Google’s decision.
$3,000 (conditional): Released upon Google’s acceptance.

Either way, we commit to maintaining continuous fuzzing infrastructure. If OSS-Fuzz declines, we’ll run equivalent continuous fuzzing on dedicated servers (cost ~$500/6 months). The Zcash community gets continuous fuzzing regardless — OSS-Fuzz acceptance just means Google subsidizes the compute.

3. Crash triage process

Here’s our workflow, which we’ve now battle-tested with a real finding:

Severity levels:

Critical: Remotely exploitable, affects consensus or network availability
High: Node crash or denial of service
Medium: Non-security logic errors
Low: Edge cases not affecting production

Process:

Discovery — Fuzzer flags crash, triggering input automatically preserved
Reproduction — Minimize test case (cargo fuzz tmin), confirm stable reproduction
Classification — Determine severity, analyze attack reachability (can this be triggered remotely? via P2P? via RPC?)
Reporting — Critical/High: private disclosure to ZF security team within 24 hours. Medium/Low: public GitHub issue
Documentation — Each report includes: minimized input, stack trace, impact analysis, reachability assessment, and suggested fix
Fix assistance — Patch suggestions + verification
Disclosure — 90-day responsible disclosure window

We’ve now executed this entire pipeline end-to-end — from fuzzer discovery through reachability analysis to responsible disclosure — on a real finding. Not a hypothetical workflow anymore.

PoC progress:

Beyond the security finding (details embargoed), our Phase 1 numbers:

95.6 million iterations across 6 targets, zero crashes in standard (Layer 1) fuzzing
Multi-layer deep fuzzing methodology: we go beyond “does it deserialize without panicking” to test property access, hash computation, consensus checks, and fee calculations on deserialized objects
Real mainnet data as seed corpus (1,565 transactions + 473 blocks from a fully-synced Zebra node)
Running across multiple machines (2-core GCP + 8-core dedicated server), with up to 52x performance scaling

The key insight: traditional deserialize-only fuzzing (Layer 1) ran 95M+ iterations and found nothing. Our multi-layer approach found a reportable issue within minutes of deployment. This is the methodological contribution we’re bringing.

Looking forward to the committee’s feedback.

alchemydc · March 26, 2026, 1:46pm

Thanks @robustfengbin for the follow-up. I can confirm that the bug that you found and reported responsibly in Zebra was 1) serious and 2) remotely exploitable. Indeed this validates your approach, methodology and triage capabilities. Bravo!

I appreciate your commitment to M3 and doing the work to get GOOG to accept the project, as well as doing 6 months worth of fuzzing independently of acceptance into the GOOG program.

robustfengbin · March 27, 2026, 1:11am

Thank you @alchemydc — this confirmation means a lot, both as validation of our methodology and as encouragement going forward.

The responsible disclosure process with ZF was smooth and professional. From report to hotfix, the turnaround was impressive, and we appreciate the team’s responsiveness.

Looking forward to continuing this collaboration.

thejohnnycrypto · March 27, 2026, 12:08pm

Zero fuzzing coverage on the only consensus node is a real gap. The fact that this team already found a remotely exploitable bug during the proposal phase says everything about the value here. $30K for continuous security testing on critical infrastructure feels like cheap insurance.

robustfengbin · March 27, 2026, 2:05pm

@thejohnnycrypto
Thanks, really appreciate this perspective.

I fully agree that fuzzing coverage on a consensus-critical node like Zebra is essential. The deserialization panic we found is exactly the kind of issue that can hide in edge cases and only surface under adversarial inputs.

Our goal with this proposal is not just to find isolated bugs, but to build a continuous fuzzing and triage pipeline that provides long-term security assurance for the ecosystem.

Really glad to see the community recognizing the importance of this work.

shieldedmark · March 27, 2026, 3:57pm

It’s not zero fuzzing! Ziggurat, which I did during my time at Equilibrium Labs fuzzed the network layer and found several critical-but-now-fixed vulns.

cc @olliten @JoakimEQ

conradoplg · March 27, 2026, 4:58pm

Finding a critical bug was an excellent way to market your proposal I support this!

ZCG · March 30, 2026, 1:20pm

@robustfengbin at the most recent meeting, ZCG voted to approve this proposal. Congratulations!

To keep the community informed, ZCG requests that you provide monthly updates via the forum in this thread.

Please check your forum inbox for a direct message from FPF with important next steps, including a link to the Milestone Payment Request Form and your unique validation code for submitting payment requests.

robustfengbin · March 30, 2026, 2:13pm

Thank you ZCG for the approval! I’m excited to get started and grateful for the community’s trust.

I’ll begin work on Milestone 1 immediately and provide monthly progress updates in this thread as requested.

Looking forward to delivering meaningful security improvements for Zebra and the Zcash ecosystem.

Topic		Replies	Views
ILE Labs: Zcash Developer Testing & Automation Toolkit - $28K Request Applications	5	172	February 16, 2026
Zephyr - A Metamask-style browser extension for Zcash Applications	55	6716	March 30, 2023
Zcash Community Grants Meeting Minutes 2/16/26 Community Grants Updates	1	236	February 23, 2026
Zcash core developer proposal Community Collaborations	36	3887	February 2, 2021
Zcash Ecosystem Security Lead Applications	94	6270	January 5, 2024

Zebra Coverage-Guided Fuzzing Infrastructure

What I Like

Concerns

Recommendations

Related topics