Running the chanmon_consistency fuzz target on main reveals three distinct panics. All three bisect to the splice RBF PR, starting at 5b6ba43 ("Add rbf_channel API for initiating splice RBF").
Crash 1: assert_action_timeout_awaiting_response failure
A HandleError event contains an ErrorAction that isn't the expected timeout disconnect warning.
assertion failed: matches!(action, msgs::ErrorAction::DisconnectPeerWithWarning { msg } if
msg.data.contains("Disconnecting due to timeout awaiting response"))
Repro (from fuzz/):
echo -ne '\xff\xa0\xa0\x3d\xff\xff\x80\xff\xff\xa2\xa0\xff\xab\xad\xff\x25' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_target
Crash 2: Stuck pending payments
After settling all channel state, a node still has unresolved pending payments.
Node 0 has 1 stuck pending payments after settling all state
Repro (from fuzz/):
echo -ne '\x70\xa4\x80\xff\xff\xa1\x27\xa4\xff\xff\xff\xff' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_target
Crash 3: unwrap() on None in splice handler
The fuzz target calls unwrap() on a channel lookup that returns None, likely because the channel was closed before the splice callback executed.
called `Option::unwrap()` on a `None` value
Repro (from fuzz/):
echo -ne '\x70\xa4\x27\x80\xff\xa4\x80\xff\xa4\xff\xff\xff\xa6\xab\xab\xab\xab\xab\xa4\xa6\xff\xff\xff\xff' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_target
Running the
chanmon_consistencyfuzz target onmainreveals three distinct panics. All three bisect to the splice RBF PR, starting at 5b6ba43 ("Add rbf_channel API for initiating splice RBF").Crash 1:
assert_action_timeout_awaiting_responsefailureA
HandleErrorevent contains anErrorActionthat isn't the expected timeout disconnect warning.Repro (from
fuzz/):Crash 2: Stuck pending payments
After settling all channel state, a node still has unresolved pending payments.
Repro (from
fuzz/):Crash 3:
unwrap()onNonein splice handlerThe fuzz target calls
unwrap()on a channel lookup that returnsNone, likely because the channel was closed before the splice callback executed.Repro (from
fuzz/):