Motivation
The decoders (abi_decode.zig, rlp.zig, hex.zig, parseSingleTransaction) consume untrusted RPC bytes. Zig has built-in fuzzing (zig test --fuzz); wiring it up is cheap insurance and a strong security-posture signal (SECURITY.md explicitly scopes decoder overflows).
Scope
tests/fuzz_tests.zig with fuzz entries for: RLP decode, ABI decode (dynamic offsets are the classic attack surface), hex decode, JSON tx/log/receipt parsers
zig build fuzz step in build.zig
- CI job running a short fuzz budget per PR (e.g. 60s per target), full runs nightly
Pointers
https://ziglang.org/documentation/master/#Fuzz-Testing -- assert no crashes/leaks, plus round-trip properties where encoders exist (decode(encode(x)) == x).
Motivation
The decoders (
abi_decode.zig,rlp.zig,hex.zig,parseSingleTransaction) consume untrusted RPC bytes. Zig has built-in fuzzing (zig test --fuzz); wiring it up is cheap insurance and a strong security-posture signal (SECURITY.md explicitly scopes decoder overflows).Scope
tests/fuzz_tests.zigwith fuzz entries for: RLP decode, ABI decode (dynamic offsets are the classic attack surface), hex decode, JSON tx/log/receipt parserszig build fuzzstep in build.zigPointers
https://ziglang.org/documentation/master/#Fuzz-Testing -- assert no crashes/leaks, plus round-trip properties where encoders exist (decode(encode(x)) == x).