Overview

For the last couple of weeks of Summer of Bitcoin, most of my time was spent on following up on received feedback and wrapping up the work that I’ve already performed. In addition, I also finally finished the security report for the gossip daemon memory bug.

Goals accomplished

  • Made the open_channel2 fuzzer stateful: Although the open_channel2 fuzzer was already complete, I recently transformed it into a stateful fuzzer to better test the dual-funding protocol. This decision followed a discussion with Matt about the potential benefits of this approach, and since the fuzzer already covered the relevant code paths, it was a logical enhancement.

    The work was more straightforward than I anticipated and is now finished. While these improvements did not uncover any new vulnerabilities, the updated fuzzer serves as a valuable regression test.

  • Addressed received feedback: Over the past two weeks, I’ve been addressing upstream feedback for several targets, including open_channel and wireaddr_internal. While I’m making steady progress, it’s unlikely I’ll be able to finalize all of this work before the official end of the internship. However, since the remaining tasks are straightforward, I’m confident that I can complete them alongside my academic schedule.

  • Finished the gossipd-connectd vulnerability investigation: While determining the nature of this bug was quick, assessing its severity took a significant amount of time. I’m happy to report I’ve finally reached a conclusion on it.

    My many attempts to generate a conclusive memory profile were unsuccessful. Just when I was about to give up, I developed a hypothesis based on a warning message that CLN generated when running my attack program. After I presented this theory to Matt and he confirmed it was most likely correct, I wrote a full report on the bug and sent it to the CLN security mailing list.

  • Reached a conclusion on the full-channel bug: Before pushing this target upstream, I decided to investigate the crash to determine if it represented a real-world vulnerability.

    After consulting some resources, I found that the bug occurred due to invalid splice amounts generated by the fuzzer. This scenario wouldn’t be possible in production because of existing safeguards against such invalid values. With this understanding, I reworked the target to bypass the crash and then pushed it upstream.

  • Reworked the initial-channel target: This fuzz target had been blocked by a persistent crash for the past three weeks. After consulting with Matt, we decided the best course of action was to remove the tests for the specific function that was causing the crash. I’ve implemented this change, and the target now runs successfully. The fix is available for review in PR #8373.

Future goals

Today marks the official end of Summer of Bitcoin 2025. While the program is concluding, my work on the project is not. I’ve invested a great deal of time and effort into my contributions, and I’m committed to seeing them through to completion. I plan to continue working past the official end date until all of my changes are pushed upstream and in a mergeable state. With that being said, here’s what’s left to do in the project:

  • Push the remaining targets upstream: I have a local backlog of about 6-7 new and improved targets that I haven’t pushed upstream yet. Once the current number of pending upstream targets decreases, I’ll push this new batch. From there, they will go through the standard feedback and improvement cycle until they are also considered mergeable.

  • Finish investigating any potential vulnerabilities: A few of my upstream targets, like full_channel, still fail when run on their corpus. Before I consider my work complete, I plan to thoroughly investigate these crashes and identify any underlying vulnerabilities.

  • Get the CI to pass on PRs: I’ve noticed that Rusty prioritizes merging PRs with a passing CI, even when failures on other PRs are unrelated to the proposed changes. To help get my work merged, my plan for the upcoming days is to investigate these CI issues and resolve them on as many of my PRs as possible.

Challenges

As I’ve noted over the past few weeks, my primary challenge has been balancing the internship with my academic workload. While I’ve managed my time by working on weekends, I’m disappointed that my productivity hasn’t matched the level it was during my vacation. I feel I could have contributed more under different circumstances. Despite this, I am fully committed to seeing my work through to completion. I hope my dedication to finishing the project will compensate for any reduced output over these last couple weeks.

Today marks the final day of the 13th week and the official conclusion of the Summer of Bitcoin 2025 program. Over the past couple of weeks, I discovered and confirmed a second serious DoS attack vector. In total, my work during the internship has led to the discovery of:

  • Two critical vulnerabilities.
  • Seven non-critical vulnerabilities, one of which is still under investigation and may be upgraded in severity.

When I began this internship, I wasn’t sure if I would be able to find even a single vulnerability. I’m proud of what I’ve achieved through a combination of discipline and invaluable guidance from Matt. While my work isn’t finished and I’m still on the hunt for another serious vulnerability, I feel nothing but gratitude. Thank you to Summer of Bitcoin, Matt, and everyone who helped me exceed my own expectations.

Till next time,

Chandra.

<
Previous Post
SoB: Week 11
>
Blog Archive
Archive of all previous blog posts