Winners Announced for Security Innovation
Blockchain CTF Challenge
Blockchain CTF Challenge
Last week we announced two new challenges were to be added to the Security Innovation Blockchain CTF, our free platform for learning to identify and exploit vulnerabilities in smart contracts.
Coinciding with the launch we announced a reward to the first players to complete all 13 of the challenges.During the week we had dozens of players attempt to steal fake ether from these challenges. Out of all of our contestants, only 5 players were able to complete all 13 successfully and reach 15,000 points on the leaderboard.
In the spirit of decentralization, competitors were able to remain anonymous, supplying only their username of choice and an address associated with their testnet wallets.
Drum Roll Please...
And the WINNERS are:
First place: <script>alert(1)</script> - $300 reward
jbrouwer96 - $50 reward
smarx - $50 reward
tec - $50 reward
Ping - $50 reward
Additionally, two other players who had created accounts during the competition were selected at random to receive an additional $50 reward.
smarx - $50 reward
tec - $50 reward
Ping - $50 reward
Additionally, two other players who had created accounts during the competition were selected at random to receive an additional $50 reward.
These two users were: aghora and Leeky
Congratulations to everyone who participated!
How Were Rewards Distributed?
As you can imagine, delivering prize money without any way to contact our contestants could present a bit of a challenge. Luckily, by competing in the CTF and creating Metamask wallets, our winners had already provided us with everything we need to send them their prizes: a wallet address.
These addresses come in the form of a long hex string (i.e.
0xdcb37036c66bc6a5a19ccf0dbc0253e584499954) and are all that is necessary to identify a wallet when sending assets on the blockchain.
Using these addresses, we can ensure that the competitors will be able to claim their reward. Even though the accounts were created on the Ropsten testnet, the private keys in Metamask can easily be used to generate identical wallet addresses on the Ethereum mainnet.
As you can imagine, delivering prize money without any way to contact our contestants could present a bit of a challenge. Luckily, by competing in the CTF and creating Metamask wallets, our winners had already provided us with everything we need to send them their prizes: a wallet address.
These addresses come in the form of a long hex string (i.e.
0xdcb37036c66bc6a5a19ccf0dbc0253e584499954) and are all that is necessary to identify a wallet when sending assets on the blockchain.
Using these addresses, we can ensure that the competitors will be able to claim their reward. Even though the accounts were created on the Ropsten testnet, the private keys in Metamask can easily be used to generate identical wallet addresses on the Ethereum mainnet.
xDai vs DAI
Originally, our plan was to distribute the reward as the DAI token, a decentralized stable coin mapping 1:1 US dollar. The problem with this is that in order for the winners to then claim their DAI and send it to another account, they would need a small amount of ETH in their account to pay the transaction fee. Since these accounts were assumed to be only used on the Ropsten
testnet, this creates a bit of a hassle for our players.
Having seen the recent successes of the Burner Wallet (https://xdai.io) at ETHDenver, we decided to distribute our rewards as xDai tokens via the POA Network instead. These xDai tokens exist on a side chain and are 1:1 mapped to DAI that is deposited and redeemed in a Ethereum mainnet smart contract.
The biggest benefit to using xDai over DAI in this situation is
that the side chain uses xDai as its native currency and can thus pay all transaction fees (fractions of a penny per transaction) in xDai. This way our winners don't need to move any ether in order to send their reward to the wallet of their choosing.
that the side chain uses xDai as its native currency and can thus pay all transaction fees (fractions of a penny per transaction) in xDai. This way our winners don't need to move any ether in order to send their reward to the wallet of their choosing.
We think this technology is really cool and are excited to keep watching the progress of xDai. We are especially excited to see continued research into ZK-SNARK integration with zDai to enable maximum transaction privacy, while preserving usability.
Lessons Learned
Lessons Learned
We received a ton of great feedback on our competition over the week. In the interest of continuous-improvement, we want to address two ways in which we look forward to improving future contests.
1) Start Everyone from Square One
Some of our challengers had pointed out that there was an unfair advantage to anyone who had solved the previous 11 challenges before the challenge began. We agree that this was not ideal. To remedy this, we plan on launching all new challenges as stand-alone applications so that everyone can start from a level playing field.
2) Ropsten Faucets were Dry
In unfortunate timing, our competition launch happened to intersect with the Metamask Ropsten ether faucet running out of funds for a couple days. Other faucets, while available during the launch, set strict limits on how much ether could be requested. This left some of our challengers struggling to obtain the minimum 5+ Ropsten ether required to complete some of the challenges. Going forward, when challenges are time-boxed, as was the case in this competition, we will make sure to limit the testnet ether requirements to less than 1 ether.
Where Can I Learn to Hack Smart Contracts?
Where Can I Learn to Hack Smart Contracts?
If you are just getting started with blockchain and are interested in learning to build (and hack) real smart contracts, there are many great resources available.
Our two-day intensive course at BlackHat Las Vegas.
August 3-4, 2019.
This course will cover:
How Blockchain works, what makes it novel, and where might it be useful
How to utilize DApps built on Ethereum smart contracts and Web 3.0
How to write, test, deploy, and exploit a Solidity smart contract.
You can Sign-up today at https://ubm.io/2SSHrx0.
Early registration ends May 24.
How to utilize DApps built on Ethereum smart contracts and Web 3.0
How to write, test, deploy, and exploit a Solidity smart contract.
You can Sign-up today at https://ubm.io/2SSHrx0.
Early registration ends May 24.
If you are wondering how Blockchain technology might affect your business, come attend our 30 minute webinar:
Attend our next Webinar - Is Blockchain Right For You?
March 13 at 2pm EST.
Mick Ayzenberg is a senior security engineer at Security Innovation. He is the head of the Blockchain Center of Excellence (COE) and is the creator of the "Intro to Hacking Blockchain Applications and Smart Contracts" course at Blackhat Las Vegas. Tickets for the training are available at: https://www.blackhat.com/us-19/training/schedule/#an-introduction-to-hacking-blockchain-applications-and-smart-contracts-13991
You can read more about Blockchain in our Blockchain COE https://www.securityinnovation.com/about/centers-of-excellence/blockchain-center-of-excellence/
