FUZZ=rpc in utxoupdatepsbt Assertion `tweaked’ failed in SignMuSig2 #34201

issue maflcko openend this issue on January 5, 2026
  1. maflcko commented at 8:14 am on January 5, 2026: member 
     0$ echo 'dXR4b3VwZGF0ZXBzYnRcIHBzYnT/AQCjICAgIAMgICAgICAgICAgICAgICAgICAgICAgICAgICAg
 1ICAgICAgICAAIP///yAgICAgICAgICAgICAgICAgICAgICAgICAgICD///8gICAgIAAgICAgICAg
 2ICAgICAgICAgICAgICAgICAgICAgICAgIP////////8gACAgICADICAgICAgICADICAgICAgICAg
 3ICAAICAgICAgICAAICAgIAABASsg/yAgICAgICJRICAgICAgICAgICAgICAgICAgICAgICAgICAg
 4ICAgICAgIhoCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClAiAgICAgICAgICAgICAg
 5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
 6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
 7ICAgICAgICAgICAgICD/ICAgICAgICAgICAgICAgICAgICAgAAAAAAAA7f//ICAgIA==' | base64 --decode > /tmp/crash
 8
 9
10$ FUZZ=rpc ./bld-cmake/bin/fuzz /tmp/crash
11INFO: Running with entropic power schedule (0xFF, 100).
12INFO: Seed: 2426494106
13INFO: Loaded 1 modules   (402716 inline 8-bit counters): 402716 [0x561fca7217f8, 0x561fca783d14), 
14INFO: Loaded 1 PC tables (402716 PCs): 402716 [0x561fca783d18,0x561fcada8ed8), 
15./bld-cmake/bin/fuzz: Running 1 inputs 1 time(s) each.
16Running: /tmp/clusterfuzz-testcase-minimized-rpc-4681957738086400
17script/sign.cpp:321 bool SignMuSig2(const BaseSignatureCreator &, SignatureData &, const SigningProvider &, std::vector<unsigned char> &, const XOnlyPubKey &, const uint256 *, const uint256 *, SigVersion): Assertion `tweaked' failed.

    Found by https://issues.oss-fuzz.com/u/3/issues/473123279?pli=1

    Originally posted by @maflcko in #29675 (review)

  2. maflcko added this to the milestone 31.0 on Jan 5, 2026
  3. maflcko added the label Fuzzing on Jan 5, 2026
  4. maflcko added the label RPC/REST/ZMQ on Jan 5, 2026
  5. rkrux commented at 9:26 am on January 5, 2026: contributor

    Is this a valid PSBT? I get the following error when I try to decode it.

    0➜  ~ bitcoincli decodepsbt dXR4b3VwZGF0ZXBzYnRcIHBzYnT/AQCjICAgIAMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAIP///yAgICAgICAgICAgICAgICAgICAgICAgICAgICD///8gICAgIAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIP////////8gACAgICADICAgICAgICADICAgICAgICAgICAAICAgICAgICAAICAgIAABASsg/yAgICAgICJRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIhoCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClAiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICD/ICAgICAgICAgICAgICAgICAgICAgAAAAAAAA7f//ICAgIA==
1error code: -22
2error message:
3TX decode failed Invalid PSBT magic bytes: unspecified iostream_category error
  6. maflcko commented at 10:05 am on January 5, 2026: member

    This is a fuzz input, if you want the psbt, you can add a `std::cout«request.params[0].get_str()«’\n’; to the rpc. This will give:

    0utxoupdatepsbt cHNidP8BAKMgICAgAyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAg////ICAgICAgICAgICAgICAgICAgICAgICAgICAgIP///yAgICAgACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg/////////yAAICAgIAMgICAgICAgIAMgICAgICAgICAgIAAgICAgICAgIAAgICAgAAEBKyD/ICAgICAgIlEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiGgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACECICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAA=
  7. rkrux commented at 10:10 am on January 5, 2026: contributor
    Oh interesting, thanks for clarifying.
  8. rkrux commented at 11:05 am on January 5, 2026: contributor

    I think what’s happening here is that invalid pubkeys are passed as MuSig2 aggregate and participants. I’ve updated PR #34010 by adding the test case from this issue.

    The decoded PSBT from this input #34201 (comment):

      0➜  src git:(master) ✗   bitcoincli decodepsbt cHNidP8BAKMgICAgAyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAg////ICAgICAgICAgICAgICAgICAgICAgICAgICAgIP///yAgICAgACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg/////////yAAICAgIAMgICAgICAgIAMgICAgICAgICAgIAAgICAgICAgIAAgICAgAAEBKyD/ICAgICAgIlEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiGgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACECICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAA=
  1{
  2  "tx": {
  3    "txid": "78aa55eafa6998eede2cfbde74e07b971c848d5e087033de9f0c934ed59ad775",
  4    "hash": "78aa55eafa6998eede2cfbde74e07b971c848d5e087033de9f0c934ed59ad775",
  5    "version": 538976288,
  6    "size": 163,
  7    "vsize": 163,
  8    "weight": 652,
  9    "locktime": 538976288,
 10    "vin": [
 11      {
 12        "txid": "2020202020202020202020202020202020202020202020202020202020202020",
 13        "vout": 538976288,
 14        "scriptSig": {
 15          "asm": "",
 16          "hex": ""
 17        },
 18        "sequence": 4294967072
 19      },
 20      {
 21        "txid": "20ffffff20202020202020202020202020202020202020202020202020202020",
 22        "vout": 538976288,
 23        "scriptSig": {
 24          "asm": "",
 25          "hex": ""
 26        },
 27        "sequence": 538976288
 28      },
 29      {
 30        "txid": "ffffffff20202020202020202020202020202020202020202020202020202020",
 31        "vout": 553648127,
 32        "scriptSig": {
 33          "asm": "",
 34          "hex": ""
 35        },
 36        "sequence": 538976288
 37      }
 38    ],
 39    "vout": [
 40      {
 41        "value": 23148855308.18453536,
 42        "n": 0,
 43        "scriptPubKey": {
 44          "asm": "[error]",
 45          "desc": "raw(202020)#a84sa0nu",
 46          "hex": "202020",
 47          "type": "nonstandard"
 48        }
 49      },
 50      {
 51        "value": 23148855308.18453536,
 52        "n": 1,
 53        "scriptPubKey": {
 54          "asm": "",
 55          "desc": "raw()#58lrscpx",
 56          "hex": "",
 57          "type": "nonstandard"
 58        }
 59      },
 60      {
 61        "value": 23148855308.18453536,
 62        "n": 2,
 63        "scriptPubKey": {
 64          "asm": "",
 65          "desc": "raw()#58lrscpx",
 66          "hex": "",
 67          "type": "nonstandard"
 68        }
 69      }
 70    ]
 71  },
 72  "global_xpubs": [
 73  ],
 74  "psbt_version": 0,
 75  "proprietary": [
 76  ],
 77  "unknown": {
 78  },
 79  "inputs": [
 80    {
 81      "witness_utxo": {
 82        "amount": 23148855308.18510624,
 83        "scriptPubKey": {
 84          "asm": "1 2020202020202020202020202020202020202020202020202020202020202020",
 85          "desc": "addr(bcrt1pyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqsqm5s4vx)#uxtlp4pp",
 86          "hex": "51202020202020202020202020202020202020202020202020202020202020202020",
 87          "address": "bcrt1pyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqsqm5s4vx",
 88          "type": "witness_v1_taproot"
 89        }
 90      },
 91      "musig2_participant_pubkeys": [
 92        {
 93          "aggregate_pubkey": "020000000000000000000000000000000000000000000000000000000000000000",
 94          "participant_pubkeys": [
 95            "022020202020202020202020202020202020202020202020202020202020202020"
 96          ]
 97        }
 98      ]
 99    },
100    {
101    },
102    {
103    }
104  ],
105  "outputs": [
106    {
107    },
108    {
109    },
110    {
111    }
112  ]
113}

    Also, I get “Access is denied to this issue” error when I open this link. How can I see this issue?

    Found by https://issues.oss-fuzz.com/u/3/issues/473123279?pli=1

  9. achow101 referenced this in commit d6a6afd955 on Jan 5, 2026
  10. maflcko closed this on Jan 6, 2026


maflcko rkrux

Labels
RPC/REST/ZMQ Fuzzing

Milestone
31.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-07 03:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me