Smite

Smite is a coverage-guided fuzzing framework for Lightning Network implementations, derived from fuzzamoto.

Supported Targets

• LND
• LDK
• CLN
• Eclair

Prerequisites

• x86_64 architecture
• Modern Linux operating system
• Docker
• AFL++ built from source with Nyx mode

Quick Start

Choose a target (lnd, ldk, cln, or eclair) and a scenario (encrypted_bytes, noise, or init) and follow the steps below:

# Choose target and scenario
TARGET=lnd
SCENARIO=encrypted_bytes

# Build the Docker image
docker build -t smite-$TARGET-$SCENARIO -f workloads/$TARGET/Dockerfile --build-arg SCENARIO=$SCENARIO .

# Enable the KVM VMware backdoor (required for Nyx)
./scripts/enable-vmware-backdoor.sh

# Create the Nyx sharedir
./scripts/setup-nyx.sh /tmp/smite-nyx smite-$TARGET-$SCENARIO ~/AFLplusplus

# Create seed corpus
mkdir -p /tmp/smite-seeds
echo 'AAAA' > /tmp/smite-seeds/seed1

# Start fuzzing
~/AFLplusplus/afl-fuzz -X -i /tmp/smite-seeds -o /tmp/smite-out -- /tmp/smite-nyx

Running Modes

Nyx Mode

Uses the Nyx hypervisor for fast snapshot-based fuzzing. AFL++ manages the fuzzing loop and coverage feedback.

The -X flag enables standalone Nyx mode:

afl-fuzz -X -i <seeds> -o <output> -- <sharedir>

Local Mode

This mode runs without Nyx and is used to reproduce and debug crashes.

Reproducing Crashes

When AFL++ finds a crash:

# Get the crash input
cp /tmp/smite-out/default/crashes/<crashing-input> ./crash

# Reproduce in local mode (use the matching image and scenario binary)
docker run --rm -v $PWD/crash:/input.bin -e SMITE_INPUT=/input.bin smite-$TARGET-$SCENARIO /$TARGET-scenario

Coverage Report Mode

Generate an HTML coverage report showing which parts of the target were exercised by a fuzzing corpus:

# Generate coverage report
./scripts/coverage-report.sh $TARGET $SCENARIO /tmp/smite-out/default/queue/

# View the report
firefox ./$TARGET-$SCENARIO-coverage-report/html/index.html

Project Structure

smite/              # Core Rust library (runners, scenarios, noise protocol, BOLT messages)
smite-nyx-sys/      # Nyx FFI bindings
smite-scenarios/    # Scenario implementations and target binaries
workloads/
  lnd/              # LND fuzzing workload (Dockerfile, init script)
  ldk/              # LDK fuzzing workload (Dockerfile, init script, ldk-node wrapper)
  cln/              # CLN fuzzing workload (Dockerfile, init script)
  eclair/           # Eclair fuzzing workload (Dockerfile, init script, instrumentation agent)
scripts/
  setup-nyx.sh              # Helper to create Nyx sharedirs
  enable-vmware-backdoor.sh # Enable KVM VMware backdoor for Nyx
  coverage-report.sh        # Generate a coverage report for any scenario
  symbolize-crash.sh        # Symbolize CLN crash report stack traces