Smite

Smite is a coverage-guided fuzzing framework for Lightning Network implementations, derived from fuzzamoto.

Supported Targets

• LND
• LDK
• CLN

Prerequisites

• x86_64 architecture
• Modern Linux operating system
• Docker
• AFL++ built from source with Nyx mode

Quick Start

Choose a target (LND, LDK, or CLN) and follow the steps below:

# Build the Docker image
docker build -t smite-lnd -f workloads/lnd/Dockerfile .  # for LND
docker build -t smite-ldk -f workloads/ldk/Dockerfile .  # for LDK
docker build -t smite-cln -f workloads/ldk/Dockerfile .  # for CLN

# Enable the KVM VMware backdoor (required for Nyx)
./scripts/enable-vmware-backdoor.sh

# Create the Nyx sharedir
./scripts/setup-nyx.sh /tmp/smite-nyx smite-lnd ~/AFLplusplus  # for LND
./scripts/setup-nyx.sh /tmp/smite-nyx smite-ldk ~/AFLplusplus  # for LDK
./scripts/setup-nyx.sh /tmp/smite-nyx smite-cln ~/AFLplusplus  # for CLN

# Create seed corpus
mkdir -p /tmp/smite-seeds
echo 'AAAA' > /tmp/smite-seeds/seed1

# Start fuzzing
~/AFLplusplus/afl-fuzz -X -i /tmp/smite-seeds -o /tmp/smite-out -- /tmp/smite-nyx

Running Modes

Nyx Mode

Uses the Nyx hypervisor for fast snapshot-based fuzzing. AFL++ manages the fuzzing loop and coverage feedback.

The -X flag enables standalone Nyx mode:

afl-fuzz -X -i <seeds> -o <output> -- <sharedir>

Local Mode

This mode runs without Nyx and is used to reproduce and debug crashes.

Reproducing Crashes

When AFL++ finds a crash:

# Get the crash input
cp /tmp/smite-out/default/crashes/<crashing-input> ./crash

# Reproduce in local mode (use the matching image and scenario binary)
docker run --rm -v $PWD/crash:/input.bin -e SMITE_INPUT=/input.bin smite-lnd /lnd-scenario
docker run --rm -v $PWD/crash:/input.bin -e SMITE_INPUT=/input.bin smite-ldk /ldk-scenario
docker run --rm -v $PWD/crash:/input.bin -e SMITE_INPUT=/input.bin smite-cln /cln-scenario

Coverage Report Mode

Generate an HTML coverage report showing which parts of the target were exercised by a fuzzing corpus:

# Generate coverage report from a fuzzing corpus
./scripts/lnd-coverage-report.sh /tmp/smite-out/default/queue/ ./coverage-report   # for LND
./scripts/ldk-coverage-report.sh /tmp/smite-out/default/queue/ ./coverage-report   # for LDK
./scripts/cln-coverage-report.sh /tmp/smite-out/default/queue/ ./coverage-report   # for CLN

# View the report
firefox ./coverage-report/coverage.html           # for LND
firefox ./coverage-report/html/index.html         # for LDK or CLN

Project Structure

smite/              # Core Rust library (runners, scenarios, noise protocol, BOLT messages)
smite-nyx-sys/      # Nyx FFI bindings
smite-scenarios/    # Scenario implementations and target binaries
workloads/
  lnd/              # LND fuzzing workload (Dockerfile, init script)
  ldk/              # LDK fuzzing workload (Dockerfile, init script, ldk-node wrapper)
  cln/              # CLN fuzzing workload (Dockerfile, init script)
scripts/
  setup-nyx.sh              # Helper to create Nyx sharedirs
  enable-vmware-backdoor.sh # Enable KVM VMware backdoor for Nyx
  lnd-coverage-report.sh    # Generate an LND coverage report
  ldk-coverage-report.sh    # Generate an LDK coverage report
  cln-coverage-report.sh    # Generate a CLN coverage report
  symbolize-crash.sh        # Symbolize CLN crash report stack traces