# Gavin Andresen
# 2012-01-17 23:19:14
# https://bitcointalk.org/index.php?topic=59985.msg697733#msg697733

I did some work today that should be useful to stress-test transaction handling for alternative bitcoin implementations: @p{brk}
  @s{(link)} @p{par}

From its README.md: @p{par}

Hacked version of Bitcoin that adds a "relayfuzzed" command. Note: this only works on the testnet. @p{par}

@p{(bf}USING THIS CODE@p{bf)} @p{par}

First, create one or more transactions using the send* RPC commands, and remember their transaction IDs. This version of bitcoin is modified so 'original' wallet transactions are not announced to the network. @p{par}

Then, you can generate as many "fuzzed" variations as you like using the relayfuzzed command, which takes a transaction ID and an integer to seed a random number generator. @p{par}

Example usage from a bash prompt: @p{par}


Code:
# Run two bitcoind's that talk to each other: @p{brk}
alias bc1="./bitcoind -datadir=testnet-box/1" @p{brk}
alias bc2="./bitcoind -datadir=testnet-box/2" @p{brk}
bc1 -daemon @p{brk}
bc2 -daemon @p{par}

# Now fuzz a send-to-self: @p{brk}
TXID=$(bc1 -testnet sendtoaddress $(bc1 getnewaddress) 0.01) @p{brk}
for i in {1..100}; do bc1 relayfuzzed $TXID $i; done @p{brk}

The result should be a long list of fuzzed transaction ids, almost all of which are actually bad, invalid transactions. And a lot of "ConnectInputs failed" in testnet-box/2/testnet/debug.log @p{par}

@p{(bf}THINGS TO BE AWARE OF@p{bf)} @p{par}

You will trigger the denial-of-service-prevention code using this. If you are running a "testnet-in-a-box" setup (see @s{(link)}) then you don't have to worry, nodes running on localhost don't disconnect each other for bad behavior. Otherwise, you can run bitcoind with -banscore=999999 to avoid being disconnected. @p{par}

Running the code being tested under Valgrind or Purify or another memory-corruption detection tool is a good idea. @p{par}

Types of "high-level" fuzzing done: @p{par}

Insert random opcodes at the front of the transactions's scriptSig(s) @p{par}

Types of "low-level" fuzzing done: @p{par}

Change bit in one of the transaction's bytes @p{brk}
Delete one or more bytes @p{brk}
Insert one or more random bytes @p{par}

@p{(bf}TODO:@p{bf)} @p{par}

Generate mostly-random scriptSig/scriptPubkey pairs that validate, and generate pairs/chains of valid transactions that spend them.