diff --git a/.gitignore b/.gitignore
index 54855b71f771..e5b3265f888a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,8 +13,7 @@ src/dash-gui
 src/dash-node
 src/dash-tx
 src/dash-wallet
-src/test/fuzz/*
-!src/test/fuzz/*.*
+src/test/fuzz/fuzz
 src/test/test_dash
 src/qt/test/test_dash-qt
 src/qt/res/css/colors/*
diff --git a/configure.ac b/configure.ac
index ed96c7e0dbb7..1c835b4ff937 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1960,12 +1960,12 @@ if test x$bitcoin_enable_qt != xno; then
 fi
 echo "  with zmq            = $use_zmq"
 if test x$enable_fuzz == xno; then
-    echo "  with test     = $use_tests"
+    echo "  with test           = $use_tests"
 else
-    echo "  with test     = not building test_dash because fuzzing is enabled"
-    echo "    with fuzz   = $enable_fuzz"
+    echo "  with test           = not building test_dash because fuzzing is enabled"
 fi
-echo "  with bench    = $use_bench"
+echo "  with fuzz binary    = $enable_fuzz_binary"
+echo "  with bench          = $use_bench"
 echo "  with upnp           = $use_upnp"
 echo "  with natpmp         = $use_natpmp"
 echo "  use asm             = $use_asm"
diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 93353dc8ff05..fc1e52d6df74 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -327,6 +327,7 @@ test_fuzz_fuzz_SOURCES = \
   test/fuzz/transaction.cpp \
   test/fuzz/tx_in.cpp \
   test/fuzz/tx_out.cpp \
+  test/fuzz/tx_pool.cpp \
   test/fuzz/validation_load_mempool.cpp \
   test/fuzz/versionbits.cpp
 endif # ENABLE_FUZZ_BINARY
diff --git a/src/Makefile.test_util.include b/src/Makefile.test_util.include
index f55a040bbde0..1a805a1dd1f5 100644
--- a/src/Makefile.test_util.include
+++ b/src/Makefile.test_util.include
@@ -13,10 +13,12 @@ TEST_UTIL_H = \
     test/util/logging.h \
     test/util/mining.h \
     test/util/net.h \
+    test/util/script.h \
     test/util/setup_common.h \
     test/util/str.h \
     test/util/transaction_utils.h \
     test/util/wallet.h \
+    test/util/validation.h \
     test/util/xoroshiro128plusplus.h
 
 libtest_util_a_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) $(MINIUPNPC_CPPFLAGS) $(EVENT_CFLAGS) $(EVENT_PTHREADS_CFLAGS)
@@ -27,9 +29,11 @@ libtest_util_a_SOURCES = \
   test/util/logging.cpp \
   test/util/mining.cpp \
   test/util/net.cpp \
+  test/util/script.cpp \
   test/util/setup_common.cpp \
   test/util/str.cpp \
   test/util/transaction_utils.cpp \
+  test/util/validation.cpp \
   test/util/wallet.cpp \
   $(TEST_UTIL_H)
 
diff --git a/src/test/fuzz/coins_view.cpp b/src/test/fuzz/coins_view.cpp
index da96d2fae060..c8f476078022 100644
--- a/src/test/fuzz/coins_view.cpp
+++ b/src/test/fuzz/coins_view.cpp
@@ -6,6 +6,7 @@
 #include <chainparams.h>
 #include <chainparamsbase.h>
 #include <coins.h>
+#include <consensus/tx_check.h>
 #include <consensus/tx_verify.h>
 #include <consensus/validation.h>
 #include <key.h>
@@ -229,11 +230,13 @@ FUZZ_TARGET_INIT(coins_view, initialize_coins_view)
                     // consensus/tx_verify.cpp:171: bool Consensus::CheckTxInputs(const CTransaction &, TxValidationState&, const CCoinsViewCache &, int, CAmount &): Assertion `!coin.IsSpent()' failed.
                     return;
                 }
-                try {
-                    (void)Consensus::CheckTxInputs(transaction, state, coins_view_cache, fuzzed_data_provider.ConsumeIntegralInRange<int>(0, std::numeric_limits<int>::max()), tx_fee_out);
-                    assert(MoneyRange(tx_fee_out));
-                } catch (const std::runtime_error&) {
+                TxValidationState dummy;
+                if (!CheckTransaction(transaction, dummy)) {
+                    // It is not allowed to call CheckTxInputs if CheckTransaction failed
+                    return;
                 }
+                (void)Consensus::CheckTxInputs(transaction, state, coins_view_cache, fuzzed_data_provider.ConsumeIntegralInRange<int>(0, std::numeric_limits<int>::max()), tx_fee_out);
+                assert(MoneyRange(tx_fee_out));
             },
             [&] {
                 const CTransaction transaction{random_mutable_transaction};
diff --git a/src/test/fuzz/netbase_dns_lookup.cpp b/src/test/fuzz/netbase_dns_lookup.cpp
index 2c984e15ff27..cf2fa337443c 100644
--- a/src/test/fuzz/netbase_dns_lookup.cpp
+++ b/src/test/fuzz/netbase_dns_lookup.cpp
@@ -12,27 +12,22 @@
 #include <string>
 #include <vector>
 
-namespace {
-FuzzedDataProvider* fuzzed_data_provider_ptr = nullptr;
-
-std::vector<CNetAddr> fuzzed_dns_lookup_function(const std::string& name, bool allow_lookup)
-{
-    std::vector<CNetAddr> resolved_addresses;
-    while (fuzzed_data_provider_ptr->ConsumeBool()) {
-        resolved_addresses.push_back(ConsumeNetAddr(*fuzzed_data_provider_ptr));
-    }
-    return resolved_addresses;
-}
-} // namespace
-
 FUZZ_TARGET(netbase_dns_lookup)
 {
     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
-    fuzzed_data_provider_ptr = &fuzzed_data_provider;
     const std::string name = fuzzed_data_provider.ConsumeRandomLengthString(512);
     const unsigned int max_results = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
     const bool allow_lookup = fuzzed_data_provider.ConsumeBool();
     const uint16_t default_port = fuzzed_data_provider.ConsumeIntegral<uint16_t>();
+
+    auto fuzzed_dns_lookup_function = [&](const std::string&, bool) {
+        std::vector<CNetAddr> resolved_addresses;
+        while (fuzzed_data_provider.ConsumeBool()) {
+            resolved_addresses.push_back(ConsumeNetAddr(fuzzed_data_provider));
+        }
+        return resolved_addresses;
+    };
+
     {
         std::vector<CNetAddr> resolved_addresses;
         if (LookupHost(name, resolved_addresses, max_results, allow_lookup, fuzzed_dns_lookup_function)) {
@@ -73,5 +68,4 @@ FUZZ_TARGET(netbase_dns_lookup)
             assert(resolved_subnet.IsValid());
         }
     }
-    fuzzed_data_provider_ptr = nullptr;
 }
diff --git a/src/test/fuzz/pow.cpp b/src/test/fuzz/pow.cpp
index fd0ca0644a30..04f51d3fb647 100644
--- a/src/test/fuzz/pow.cpp
+++ b/src/test/fuzz/pow.cpp
@@ -35,7 +35,7 @@ FUZZ_TARGET_INIT(pow, initialize_pow)
         }
         CBlockIndex current_block{*block_header};
         {
-            CBlockIndex* previous_block = !blocks.empty() ? &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)] : nullptr;
+            CBlockIndex* previous_block = blocks.empty() ? nullptr : &PickValue(fuzzed_data_provider, blocks);
             const int current_height = (previous_block != nullptr && previous_block->nHeight != std::numeric_limits<int>::max()) ? previous_block->nHeight + 1 : 0;
             if (fuzzed_data_provider.ConsumeBool()) {
                 current_block.pprev = previous_block;
@@ -64,9 +64,9 @@ FUZZ_TARGET_INIT(pow, initialize_pow)
             }
         }
         {
-            const CBlockIndex* to = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
-            const CBlockIndex* from = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
-            const CBlockIndex* tip = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
+            const CBlockIndex* to = &PickValue(fuzzed_data_provider, blocks);
+            const CBlockIndex* from = &PickValue(fuzzed_data_provider, blocks);
+            const CBlockIndex* tip = &PickValue(fuzzed_data_provider, blocks);
             try {
                 (void)GetBlockProofEquivalentTime(*to, *from, *tip, consensus_params);
             } catch (const uint_error&) {
diff --git a/src/test/fuzz/process_message.cpp b/src/test/fuzz/process_message.cpp
index 6fe278449bc2..915b949fe400 100644
--- a/src/test/fuzz/process_message.cpp
+++ b/src/test/fuzz/process_message.cpp
@@ -17,6 +17,7 @@
 #include <test/util/mining.h>
 #include <test/util/net.h>
 #include <test/util/setup_common.h>
+#include <test/util/validation.h>
 #include <validationinterface.h>
 #include <version.h>
 
@@ -73,7 +74,12 @@ void initialize_process_message()
 void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE)
 {
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
-    ConnmanTestMsg& connman = *(ConnmanTestMsg*)g_setup->m_node.connman.get();
+
+    ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
+    TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
+    SetMockTime(1610000000); // any time to successfully reset ibd
+    chainstate.ResetIbd();
+
     const std::string random_message_type{fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE).c_str()};
     if (!LIMIT_TO_MESSAGE_TYPE.empty() && random_message_type != LIMIT_TO_MESSAGE_TYPE) {
         return;
@@ -86,6 +92,9 @@ void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE
     g_setup->m_node.peerman->InitializeNode(&p2p_node);
     FillNode(fuzzed_data_provider, p2p_node, /* init_version */ successfully_connected);
 
+    const auto mock_time = ConsumeTime(fuzzed_data_provider);
+    SetMockTime(mock_time);
+
     // fuzzed_data_provider is fully consumed after this call, don't use it
     CDataStream random_bytes_data_stream{fuzzed_data_provider.ConsumeRemainingBytes<unsigned char>(), SER_NETWORK, PROTOCOL_VERSION};
     try {
@@ -109,8 +118,16 @@ FUZZ_TARGET_MSG(blocktxn);
 FUZZ_TARGET_MSG(cfcheckpt);
 FUZZ_TARGET_MSG(cfheaders);
 FUZZ_TARGET_MSG(cfilter);
+FUZZ_TARGET_MSG(clsig);
 FUZZ_TARGET_MSG(cmpctblock);
-FUZZ_TARGET_MSG(feefilter);
+FUZZ_TARGET_MSG(dsa);
+FUZZ_TARGET_MSG(dsc);
+FUZZ_TARGET_MSG(dsf);
+FUZZ_TARGET_MSG(dsi);
+FUZZ_TARGET_MSG(dsq);
+FUZZ_TARGET_MSG(dss);
+FUZZ_TARGET_MSG(dssu);
+FUZZ_TARGET_MSG(dstx);
 FUZZ_TARGET_MSG(filteradd);
 FUZZ_TARGET_MSG(filterclear);
 FUZZ_TARGET_MSG(filterload);
@@ -122,17 +139,47 @@ FUZZ_TARGET_MSG(getcfheaders);
 FUZZ_TARGET_MSG(getcfilters);
 FUZZ_TARGET_MSG(getdata);
 FUZZ_TARGET_MSG(getheaders);
+FUZZ_TARGET_MSG(getheaders2);
+FUZZ_TARGET_MSG(getmnlistd);
+FUZZ_TARGET_MSG(getqrinfo);
+FUZZ_TARGET_MSG(getsporks);
+FUZZ_TARGET_MSG(govobj);
+FUZZ_TARGET_MSG(govobjvote);
+FUZZ_TARGET_MSG(govsync);
 FUZZ_TARGET_MSG(headers);
+FUZZ_TARGET_MSG(headers2);
 FUZZ_TARGET_MSG(inv);
+FUZZ_TARGET_MSG(isdlock);
 FUZZ_TARGET_MSG(mempool);
 FUZZ_TARGET_MSG(merkleblock);
+FUZZ_TARGET_MSG(mnauth);
+FUZZ_TARGET_MSG(mnlistdiff);
 FUZZ_TARGET_MSG(notfound);
 FUZZ_TARGET_MSG(ping);
 FUZZ_TARGET_MSG(pong);
+FUZZ_TARGET_MSG(qbsigs);
+FUZZ_TARGET_MSG(qcomplaint);
+FUZZ_TARGET_MSG(qcontrib);
+FUZZ_TARGET_MSG(qdata);
+FUZZ_TARGET_MSG(qfcommit);
+FUZZ_TARGET_MSG(qgetdata);
+FUZZ_TARGET_MSG(qgetsigs);
+FUZZ_TARGET_MSG(qjustify);
+FUZZ_TARGET_MSG(qpcommit);
+FUZZ_TARGET_MSG(qrinfo);
+FUZZ_TARGET_MSG(qsendrecsigs);
+FUZZ_TARGET_MSG(qsigrec);
+FUZZ_TARGET_MSG(qsigsesann);
+FUZZ_TARGET_MSG(qsigshare);
+FUZZ_TARGET_MSG(qsigsinv);
+FUZZ_TARGET_MSG(qwatch);
 FUZZ_TARGET_MSG(sendaddrv2);
 FUZZ_TARGET_MSG(sendcmpct);
+FUZZ_TARGET_MSG(senddsq);
 FUZZ_TARGET_MSG(sendheaders);
+FUZZ_TARGET_MSG(sendheaders2);
+FUZZ_TARGET_MSG(spork);
+FUZZ_TARGET_MSG(ssc);
 FUZZ_TARGET_MSG(tx);
 FUZZ_TARGET_MSG(verack);
 FUZZ_TARGET_MSG(version);
-FUZZ_TARGET_MSG(wtxidrelay);
diff --git a/src/test/fuzz/process_messages.cpp b/src/test/fuzz/process_messages.cpp
index dc035b52d61f..b61df25ed717 100644
--- a/src/test/fuzz/process_messages.cpp
+++ b/src/test/fuzz/process_messages.cpp
@@ -12,6 +12,7 @@
 #include <test/util/mining.h>
 #include <test/util/net.h>
 #include <test/util/setup_common.h>
+#include <test/util/validation.h>
 #include <validation.h>
 #include <validationinterface.h>
 
@@ -33,9 +34,12 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
 {
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
 
-    ConnmanTestMsg& connman = *(ConnmanTestMsg*)g_setup->m_node.connman.get();
-    std::vector<CNode*> peers;
+    ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
+    TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
+    SetMockTime(1610000000); // any time to successfully reset ibd
+    chainstate.ResetIbd();
 
+    std::vector<CNode*> peers;
     const auto num_peers_to_add = fuzzed_data_provider.ConsumeIntegralInRange(1, 3);
     for (int i = 0; i < num_peers_to_add; ++i) {
         peers.push_back(ConsumeNodeAsUniquePtr(fuzzed_data_provider, i).release());
@@ -53,11 +57,14 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
     while (fuzzed_data_provider.ConsumeBool()) {
         const std::string random_message_type{fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE).c_str()};
 
+        const auto mock_time = ConsumeTime(fuzzed_data_provider);
+        SetMockTime(mock_time);
+
         CSerializedNetMsg net_msg;
         net_msg.command = random_message_type;
         net_msg.data = ConsumeRandomLengthByteVector(fuzzed_data_provider);
 
-        CNode& random_node = *peers.at(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, peers.size() - 1));
+        CNode& random_node = *PickValue(fuzzed_data_provider, peers);
 
         (void)connman.ReceiveMsgFrom(random_node, net_msg);
         random_node.fPauseSend = false;
diff --git a/src/test/fuzz/psbt.cpp b/src/test/fuzz/psbt.cpp
index b29f4e2228db..de0f7062434b 100644
--- a/src/test/fuzz/psbt.cpp
+++ b/src/test/fuzz/psbt.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 
 #include <node/psbt.h>
@@ -9,6 +10,7 @@
 #include <pubkey.h>
 #include <script/script.h>
 #include <streams.h>
+#include <util/check.h>
 #include <version.h>
 
 #include <cstdint>
@@ -18,10 +20,10 @@
 
 FUZZ_TARGET(psbt)
 {
+    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
     PartiallySignedTransaction psbt_mut;
-    const std::string raw_psbt{buffer.begin(), buffer.end()};
     std::string error;
-    if (!DecodeRawPSBT(psbt_mut, raw_psbt, error)) {
+    if (!DecodeRawPSBT(psbt_mut, fuzzed_data_provider.ConsumeRandomLengthString(), error)) {
         return;
     }
     const PartiallySignedTransaction psbt = psbt_mut;
@@ -66,6 +68,20 @@ FUZZ_TARGET(psbt)
         const PartiallySignedTransaction psbt_from_tx{result};
     }
 
+    PartiallySignedTransaction psbt_merge;
+    if (!DecodeRawPSBT(psbt_merge, fuzzed_data_provider.ConsumeRandomLengthString(), error)) {
+        psbt_merge = psbt;
+    }
+    psbt_mut = psbt;
+    (void)psbt_mut.Merge(psbt_merge);
+    psbt_mut = psbt;
+    (void)CombinePSBTs(psbt_mut, {psbt_mut, psbt_merge});
     psbt_mut = psbt;
-    (void)psbt_mut.Merge(psbt);
+    for (unsigned int i = 0; i < psbt_merge.tx->vin.size(); ++i) {
+        (void)psbt_mut.AddInput(psbt_merge.tx->vin[i], psbt_merge.inputs[i]);
+    }
+    for (unsigned int i = 0; i < psbt_merge.tx->vout.size(); ++i) {
+        Assert(psbt_mut.AddOutput(psbt_merge.tx->vout[i], psbt_merge.outputs[i]));
+    }
+    psbt_mut.unknown.insert(psbt_merge.unknown.begin(), psbt_merge.unknown.end());
 }
diff --git a/src/test/fuzz/script_flags.cpp b/src/test/fuzz/script_flags.cpp
index bfabf3af732c..c38dbfb4d83a 100644
--- a/src/test/fuzz/script_flags.cpp
+++ b/src/test/fuzz/script_flags.cpp
@@ -5,13 +5,11 @@
 #include <pubkey.h>
 #include <script/interpreter.h>
 #include <streams.h>
+#include <test/util/script.h>
 #include <version.h>
 
 #include <test/fuzz/fuzz.h>
 
-/** Flags that are not forbidden by an assert */
-static bool IsValidFlagCombination(unsigned flags);
-
 FUZZ_TARGET(script_flags)
 {
     CDataStream ds(buffer, SER_NETWORK, INIT_PROTO_VERSION);
@@ -67,9 +65,3 @@ FUZZ_TARGET(script_flags)
         return;
     }
 }
-
-static bool IsValidFlagCombination(unsigned flags)
-{
-    if (flags & SCRIPT_VERIFY_CLEANSTACK && ~flags & SCRIPT_VERIFY_P2SH) return false;
-    return true;
-}
diff --git a/src/test/fuzz/signature_checker.cpp b/src/test/fuzz/signature_checker.cpp
index c0b083f2a8fe..175024b1f36c 100644
--- a/src/test/fuzz/signature_checker.cpp
+++ b/src/test/fuzz/signature_checker.cpp
@@ -6,6 +6,8 @@
 #include <script/interpreter.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/script.h>
 
 #include <cstdint>
 #include <limits>
@@ -45,14 +47,12 @@ FUZZ_TARGET(signature_checker)
 {
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
     const unsigned int flags = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
-    const std::string script_string_1 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
-    const std::vector<uint8_t> script_bytes_1{script_string_1.begin(), script_string_1.end()};
-    const std::string script_string_2 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
-    const std::vector<uint8_t> script_bytes_2{script_string_2.begin(), script_string_2.end()};
+    const auto script_1 = ConsumeScript(fuzzed_data_provider, 65536);
+    const auto script_2 = ConsumeScript(fuzzed_data_provider, 65536);
     std::vector<std::vector<unsigned char>> stack;
-    (void)EvalScript(stack, {script_bytes_1.begin(), script_bytes_1.end()}, flags, FuzzedSignatureChecker(fuzzed_data_provider), SigVersion::BASE, nullptr);
-    if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0 && ((flags & SCRIPT_VERIFY_P2SH) == 0)) {
+    (void)EvalScript(stack, script_1, flags, FuzzedSignatureChecker(fuzzed_data_provider), SigVersion::BASE, nullptr);
+    if (!IsValidFlagCombination(flags)) {
         return;
     }
-    (void)VerifyScript({script_bytes_1.begin(), script_bytes_1.end()}, {script_bytes_2.begin(), script_bytes_2.end()}, flags, FuzzedSignatureChecker(fuzzed_data_provider), nullptr);
+    (void)VerifyScript(script_1, script_2, flags, FuzzedSignatureChecker(fuzzed_data_provider), nullptr);
 }
diff --git a/src/test/fuzz/transaction.cpp b/src/test/fuzz/transaction.cpp
index 58f5d0f88c27..ae9cc9b4b14e 100644
--- a/src/test/fuzz/transaction.cpp
+++ b/src/test/fuzz/transaction.cpp
@@ -60,8 +60,11 @@ FUZZ_TARGET_INIT(transaction, initialize_transaction)
         return;
     }
 
-    TxValidationState state_with_dupe_check;
-    (void)CheckTransaction(tx, state_with_dupe_check);
+    {
+        TxValidationState state_with_dupe_check;
+        const bool res{CheckTransaction(tx, state_with_dupe_check)};
+        Assert(res == state_with_dupe_check.IsValid());
+    }
 
     std::string reason;
     const bool is_standard_with_permit_bare_multisig = IsStandardTx(tx, reason);
diff --git a/src/test/fuzz/tx_pool.cpp b/src/test/fuzz/tx_pool.cpp
new file mode 100644
index 000000000000..3a083667562d
--- /dev/null
+++ b/src/test/fuzz/tx_pool.cpp
@@ -0,0 +1,292 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <consensus/validation.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/mining.h>
+#include <test/util/script.h>
+#include <test/util/setup_common.h>
+#include <validation.h>
+#include <validationinterface.h>
+
+namespace {
+
+const TestingSetup* g_setup;
+std::vector<COutPoint> g_outpoints_coinbase_init_mature;
+std::vector<COutPoint> g_outpoints_coinbase_init_immature;
+
+struct MockedTxPool : public CTxMemPool {
+    void RollingFeeUpdate()
+    {
+        lastRollingFeeUpdate = GetTime();
+        blockSinceLastRollingFeeBump = true;
+    }
+};
+
+void initialize_tx_pool()
+{
+    static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
+    g_setup = testing_setup.get();
+
+    for (int i = 0; i < 2 * COINBASE_MATURITY; ++i) {
+        CTxIn in = MineBlock(g_setup->m_node, CScript() << OP_TRUE);
+        // Remember the txids to avoid expensive disk acess later on
+        auto& outpoints = i < COINBASE_MATURITY ?
+                              g_outpoints_coinbase_init_mature :
+                              g_outpoints_coinbase_init_immature;
+        outpoints.push_back(in.prevout);
+    }
+    SyncWithValidationInterfaceQueue();
+}
+
+struct TransactionsDelta final : public CValidationInterface {
+    std::set<CTransactionRef>& m_removed;
+    std::set<CTransactionRef>& m_added;
+
+    explicit TransactionsDelta(std::set<CTransactionRef>& r, std::set<CTransactionRef>& a)
+        : m_removed{r}, m_added{a} {}
+
+    void TransactionAddedToMempool(const CTransactionRef& tx, int64_t /* nAcceptTime */) override
+    {
+        Assert(m_added.insert(tx).second);
+    }
+
+    void TransactionRemovedFromMempool(const CTransactionRef& tx, MemPoolRemovalReason reason) override
+    {
+        Assert(m_removed.insert(tx).second);
+    }
+};
+
+void SetMempoolConstraints(ArgsManager& args, FuzzedDataProvider& fuzzed_data_provider)
+{
+    args.ForceSetArg("-limitancestorcount",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
+    args.ForceSetArg("-limitancestorsize",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
+    args.ForceSetArg("-limitdescendantcount",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
+    args.ForceSetArg("-limitdescendantsize",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
+    args.ForceSetArg("-maxmempool",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 200)));
+    args.ForceSetArg("-mempoolexpiry",
+                     ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 999)));
+}
+
+FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    const auto& node = g_setup->m_node;
+    auto& chainstate = node.chainman->ActiveChainstate();
+
+    SetMockTime(ConsumeTime(fuzzed_data_provider));
+    SetMempoolConstraints(*node.args, fuzzed_data_provider);
+
+    // All RBF-spendable outpoints
+    std::set<COutPoint> outpoints_rbf;
+    // All outpoints counting toward the total supply (subset of outpoints_rbf)
+    std::set<COutPoint> outpoints_supply;
+    for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
+        Assert(outpoints_supply.insert(outpoint).second);
+    }
+    outpoints_rbf = outpoints_supply;
+
+    // The sum of the values of all spendable outpoints
+    constexpr CAmount SUPPLY_TOTAL{COINBASE_MATURITY * 50 * COIN};
+
+    CTxMemPool tx_pool_{/* estimator */ nullptr, /* check_ratio */ 1};
+    MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
+
+    // Helper to query an amount
+    const CCoinsViewMemPool amount_view{WITH_LOCK(::cs_main, return &chainstate.CoinsTip()), tx_pool};
+    const auto GetAmount = [&](const COutPoint& outpoint) {
+        Coin c;
+        Assert(amount_view.GetCoin(outpoint, c));
+        return c.out.nValue;
+    };
+
+    while (fuzzed_data_provider.ConsumeBool()) {
+        {
+            // Total supply is all outpoints
+            CAmount supply_now{0};
+            for (const auto& op : outpoints_supply) {
+                supply_now += GetAmount(op);
+            }
+            Assert(supply_now == SUPPLY_TOTAL);
+        }
+        Assert(!outpoints_supply.empty());
+
+        // Create transaction to add to the mempool
+        const CTransactionRef tx = [&] {
+            CMutableTransaction tx_mut;
+            tx_mut.nVersion = CTransaction::CURRENT_VERSION;
+            tx_mut.nLockTime = fuzzed_data_provider.ConsumeBool() ? 0 : fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+            const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size());
+            const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size() * 2);
+
+            CAmount amount_in{0};
+            for (int i = 0; i < num_in; ++i) {
+                // Pop random outpoint
+                auto pop = outpoints_rbf.begin();
+                std::advance(pop, fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, outpoints_rbf.size() - 1));
+                const auto outpoint = *pop;
+                outpoints_rbf.erase(pop);
+                amount_in += GetAmount(outpoint);
+
+                // Create input
+                const auto sequence = ConsumeSequence(fuzzed_data_provider);
+                const auto script_sig = CScript{};
+                CTxIn in;
+                in.prevout = outpoint;
+                in.nSequence = sequence;
+                in.scriptSig = script_sig;
+
+                tx_mut.vin.push_back(in);
+            }
+            const auto amount_fee = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-1000, amount_in);
+            const auto amount_out = (amount_in - amount_fee) / num_out;
+            for (int i = 0; i < num_out; ++i) {
+                tx_mut.vout.emplace_back(amount_out, CScript() << OP_RETURN);
+            }
+            const auto tx = MakeTransactionRef(tx_mut);
+            // Restore previously removed outpoints
+            for (const auto& in : tx->vin) {
+                Assert(outpoints_rbf.insert(in.prevout).second);
+            }
+            return tx;
+        }();
+
+        if (fuzzed_data_provider.ConsumeBool()) {
+            SetMockTime(ConsumeTime(fuzzed_data_provider));
+        }
+        if (fuzzed_data_provider.ConsumeBool()) {
+            SetMempoolConstraints(*node.args, fuzzed_data_provider);
+        }
+        if (fuzzed_data_provider.ConsumeBool()) {
+            tx_pool.RollingFeeUpdate();
+        }
+        if (fuzzed_data_provider.ConsumeBool()) {
+            const auto& txid = fuzzed_data_provider.ConsumeBool() ?
+                                   tx->GetHash() :
+                                   PickValue(fuzzed_data_provider, outpoints_rbf).hash;
+            const auto delta = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-50 * COIN, +50 * COIN);
+            tx_pool.PrioritiseTransaction(txid, delta);
+        }
+
+        // Remember all removed and added transactions
+        std::set<CTransactionRef> removed;
+        std::set<CTransactionRef> added;
+        auto txr = std::make_shared<TransactionsDelta>(removed, added);
+        RegisterSharedValidationInterface(txr);
+        const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
+        ::fRequireStandard = fuzzed_data_provider.ConsumeBool();
+
+        // Make sure ProcessNewPackage on one transaction works and always fully validates the transaction.
+        // The result is not guaranteed to be the same as what is returned by ATMP.
+        const auto result_package = WITH_LOCK(::cs_main,
+                                    return ProcessNewPackage(node.chainman->ActiveChainstate(), tx_pool, {tx}, true));
+        auto it = result_package.m_tx_results.find(tx->GetHash());
+        Assert(it != result_package.m_tx_results.end());
+        Assert(it->second.m_result_type == MempoolAcceptResult::ResultType::VALID ||
+               it->second.m_result_type == MempoolAcceptResult::ResultType::INVALID);
+
+        const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(chainstate, tx_pool, tx, bypass_limits));
+        const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
+        SyncWithValidationInterfaceQueue();
+        UnregisterSharedValidationInterface(txr);
+
+        Assert(accepted != added.empty());
+        Assert(accepted == res.m_state.IsValid());
+        Assert(accepted != res.m_state.IsInvalid());
+        if (accepted) {
+            Assert(added.size() == 1); // For now, no package acceptance
+            Assert(tx == *added.begin());
+        } else {
+            // Do not consider rejected transaction removed
+            removed.erase(tx);
+        }
+
+        // Helper to insert spent and created outpoints of a tx into collections
+        using Sets = std::vector<std::reference_wrapper<std::set<COutPoint>>>;
+        const auto insert_tx = [](Sets created_by_tx, Sets consumed_by_tx, const auto& tx) {
+            for (size_t i{0}; i < tx.vout.size(); ++i) {
+                for (auto& set : created_by_tx) {
+                    Assert(set.get().emplace(tx.GetHash(), i).second);
+                }
+            }
+            for (const auto& in : tx.vin) {
+                for (auto& set : consumed_by_tx) {
+                    Assert(set.get().insert(in.prevout).second);
+                }
+            }
+        };
+        // Add created outpoints, remove spent outpoints
+        {
+            // Outpoints that no longer exist at all
+            std::set<COutPoint> consumed_erased;
+            // Outpoints that no longer count toward the total supply
+            std::set<COutPoint> consumed_supply;
+            for (const auto& removed_tx : removed) {
+                insert_tx(/* created_by_tx */ {consumed_erased}, /* consumed_by_tx */ {outpoints_supply}, /* tx */ *removed_tx);
+            }
+            for (const auto& added_tx : added) {
+                insert_tx(/* created_by_tx */ {outpoints_supply, outpoints_rbf}, /* consumed_by_tx */ {consumed_supply}, /* tx */ *added_tx);
+            }
+            for (const auto& p : consumed_erased) {
+                Assert(outpoints_supply.erase(p) == 1);
+                Assert(outpoints_rbf.erase(p) == 1);
+            }
+            for (const auto& p : consumed_supply) {
+                Assert(outpoints_supply.erase(p) == 1);
+            }
+        }
+    }
+    WITH_LOCK(::cs_main, tx_pool.check(chainstate));
+    const auto info_all = tx_pool.infoAll();
+    if (!info_all.empty()) {
+        const auto& tx_to_remove = *PickValue(fuzzed_data_provider, info_all).tx;
+        WITH_LOCK(tx_pool.cs, tx_pool.removeRecursive(tx_to_remove, /* dummy */ MemPoolRemovalReason::BLOCK));
+        std::vector<uint256> all_txids;
+        tx_pool.queryHashes(all_txids);
+        assert(all_txids.size() < info_all.size());
+        WITH_LOCK(::cs_main, tx_pool.check(chainstate));
+    }
+    SyncWithValidationInterfaceQueue();
+}
+
+FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    const auto& node = g_setup->m_node;
+
+    std::vector<uint256> txids;
+    for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
+        txids.push_back(outpoint.hash);
+    }
+    for (int i{0}; i <= 3; ++i) {
+        // Add some immature and non-existent outpoints
+        txids.push_back(g_outpoints_coinbase_init_immature.at(i).hash);
+        txids.push_back(ConsumeUInt256(fuzzed_data_provider));
+    }
+
+    CTxMemPool tx_pool{/* estimator */ nullptr, /* check_ratio */ 1};
+
+    while (fuzzed_data_provider.ConsumeBool()) {
+        const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
+
+        const auto tx = MakeTransactionRef(mut_tx);
+        const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
+        ::fRequireStandard = fuzzed_data_provider.ConsumeBool();
+        const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(node.chainman->ActiveChainstate(), tx_pool, tx, bypass_limits));
+        const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
+        if (accepted) {
+            txids.push_back(tx->GetHash());
+        }
+
+        SyncWithValidationInterfaceQueue();
+    }
+}
+} // namespace
diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
index e3dfcd933b54..12d6349c060f 100644
--- a/src/test/fuzz/util.cpp
+++ b/src/test/fuzz/util.cpp
@@ -4,6 +4,7 @@
 
 #include <test/fuzz/util.h>
 
+#include <test/util/script.h>
 #include <util/overflow.h>
 #include <version.h>
 
@@ -215,3 +216,50 @@ void FillNode(FuzzedDataProvider& fuzzed_data_provider, CNode& node, bool init_v
         node.m_tx_relay->fRelayTxes = filter_txs;
     }
 }
+
+CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<uint256>>& prevout_txids, const int max_num_in, const int max_num_out) noexcept
+{
+    CMutableTransaction tx_mut;
+    tx_mut.nVersion = fuzzed_data_provider.ConsumeBool() ?
+                          CTransaction::CURRENT_VERSION :
+                          fuzzed_data_provider.ConsumeIntegral<int32_t>();
+    tx_mut.nLockTime = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+    const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_in);
+    const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_out);
+    for (int i = 0; i < num_in; ++i) {
+        const auto& txid_prev = prevout_txids ?
+                                    PickValue(fuzzed_data_provider, *prevout_txids) :
+                                    ConsumeUInt256(fuzzed_data_provider);
+        const auto index_out = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, max_num_out);
+        const auto sequence = ConsumeSequence(fuzzed_data_provider);
+        const auto script_sig = ConsumeScript(fuzzed_data_provider);
+        CTxIn in;
+        in.prevout = COutPoint{txid_prev, index_out};
+        in.nSequence = sequence;
+        in.scriptSig = script_sig;
+
+        tx_mut.vin.push_back(in);
+    }
+    for (int i = 0; i < num_out; ++i) {
+        const auto amount = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-10, 50 * COIN + 10);
+        const auto script_pk = ConsumeScript(fuzzed_data_provider, /* max_length */ 128);
+        tx_mut.vout.emplace_back(amount, script_pk);
+    }
+    return tx_mut;
+}
+
+CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length) noexcept
+{
+    const std::vector<uint8_t> b = ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length);
+    return {b.begin(), b.end()};
+}
+
+uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
+{
+    return fuzzed_data_provider.ConsumeBool() ?
+               fuzzed_data_provider.PickValueInArray({
+                   CTxIn::SEQUENCE_FINAL,
+                   CTxIn::SEQUENCE_FINAL - 1
+               }) :
+               fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+}
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 6cab0751a11b..db0359aa8d3e 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -51,6 +51,16 @@ void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
     return ((i++ == call_index ? callables() : void()), ...);
 }
 
+template <typename Collection>
+auto& PickValue(FuzzedDataProvider& fuzzed_data_provider, Collection& col)
+{
+    const auto sz = col.size();
+    assert(sz >= 1);
+    auto it = col.begin();
+    std::advance(it, fuzzed_data_provider.ConsumeIntegralInRange<decltype(sz)>(0, sz - 1));
+    return *it;
+}
+
 [[ nodiscard ]] inline std::vector<uint8_t> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
 {
     const std::string s = fuzzed_data_provider.ConsumeRandomLengthString(max_length);
@@ -128,11 +138,11 @@ template <typename WeakEnumType, size_t size>
     return fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(time_min, time_max);
 }
 
-[[ nodiscard ]] inline CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider) noexcept
-{
-    const std::vector<uint8_t> b = ConsumeRandomLengthByteVector(fuzzed_data_provider);
-    return {b.begin(), b.end()};
-}
+[[ nodiscard ]] CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<uint256>>& prevout_txids, const int max_num_in = 10, const int max_num_out = 10) noexcept;
+
+[[ nodiscard ]] CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept;
+
+[[ nodiscard ]] uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept;
 
 [[ nodiscard ]] inline CScriptNum ConsumeScriptNum(FuzzedDataProvider& fuzzed_data_provider) noexcept
 {
diff --git a/src/test/util/script.cpp b/src/test/util/script.cpp
new file mode 100644
index 000000000000..5246f80a65ed
--- /dev/null
+++ b/src/test/util/script.cpp
@@ -0,0 +1,12 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <script/interpreter.h>
+#include <test/util/script.h>
+
+bool IsValidFlagCombination(unsigned flags)
+{
+    if (flags & SCRIPT_VERIFY_CLEANSTACK && ~flags & SCRIPT_VERIFY_P2SH) return false;
+    return true;
+}
diff --git a/src/test/util/script.h b/src/test/util/script.h
new file mode 100644
index 000000000000..215a943b1ad7
--- /dev/null
+++ b/src/test/util/script.h
@@ -0,0 +1,11 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_TEST_UTIL_SCRIPT_H
+#define BITCOIN_TEST_UTIL_SCRIPT_H
+
+/** Flags that are not forbidden by an assert in script validation */
+bool IsValidFlagCombination(unsigned flags);
+
+#endif // BITCOIN_TEST_UTIL_SCRIPT_H
diff --git a/src/test/util/validation.cpp b/src/test/util/validation.cpp
new file mode 100644
index 000000000000..1aed492c3c03
--- /dev/null
+++ b/src/test/util/validation.cpp
@@ -0,0 +1,22 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <test/util/validation.h>
+
+#include <util/check.h>
+#include <util/time.h>
+#include <validation.h>
+
+void TestChainState::ResetIbd()
+{
+    m_cached_finished_ibd = false;
+    assert(IsInitialBlockDownload());
+}
+
+void TestChainState::JumpOutOfIbd()
+{
+    Assert(IsInitialBlockDownload());
+    m_cached_finished_ibd = true;
+    Assert(!IsInitialBlockDownload());
+}
diff --git a/src/test/util/validation.h b/src/test/util/validation.h
new file mode 100644
index 000000000000..b13aa0be60d5
--- /dev/null
+++ b/src/test/util/validation.h
@@ -0,0 +1,17 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_TEST_UTIL_VALIDATION_H
+#define BITCOIN_TEST_UTIL_VALIDATION_H
+
+#include <validation.h>
+
+struct TestChainState : public CChainState {
+    /** Reset the ibd cache to its initial state */
+    void ResetIbd();
+    /** Toggle IsInitialBlockDownload from true to false */
+    void JumpOutOfIbd();
+};
+
+#endif // BITCOIN_TEST_UTIL_VALIDATION_H
diff --git a/src/txmempool.h b/src/txmempool.h
index cbf5fb8e12d5..4b7d09bad6e3 100644
--- a/src/txmempool.h
+++ b/src/txmempool.h
@@ -442,7 +442,7 @@ enum class MemPoolRemovalReason {
  */
 class CTxMemPool
 {
-private:
+protected:
     const int m_check_ratio; //!< Value n means that 1 times in n we check.
     std::atomic<unsigned int> nTransactionsUpdated{0}; //!< Used by getblocktemplate to trigger CreateNewBlock() invocation
     CBlockPolicyEstimator* minerPolicyEstimator;
diff --git a/src/validation.h b/src/validation.h
index 0f1b61e17002..35bb2bd8e283 100644
--- a/src/validation.h
+++ b/src/validation.h
@@ -625,8 +625,7 @@ enum class CoinsCacheSizeState
  */
 class CChainState
 {
-private:
-
+protected:
     /**
      * Every received block is assigned a unique and increasing identifier, so we
      * know which one to give priority in case of a fork.