Key Information

Register
Submit
The challenge is finished.
Show Deadlines

Challenge Overview

Welcome to build a Smart Contract Hacker Challenge! In this very Topcoder challenge your goal is to prepare a self contained vulnerable MultiSig wallet that is ready to get hacked. All the text below describes the intention of the Smart Contract Hacker Challenge how it should be setup and its objectives. Pay special attention to the Details section, it lists what is expercted from you in this Topcoder challenge.

Overview

The client's intention is to launch a Hacking Contest for smart contract systems, and this will be its first challenge. Participants will learn smart contract security by trying to exploit vulnerabilities that have occured in the past in popular smart contract projects. The challenges will be published as self-contained GitHub projects, that can be easily cloned and installed locally. Within minutes participants will be able to start hacking smart contract systems in a realistic and safe environment.

Details

  • Create a repository that allows users to clone and install locally the vulnerable Parity wallet contracts that were exploited on July 20th 2017 and November 6th 2017. Use the contracts from this commit hash: https://github.com/paritytech/parity/tree/6345b5403448736e633b502cc111f43a67babbf6/js/src/contracts
  • It is expected that it will be possible to install the challenge locally in less than 1-2 minutes
  • Upon installation the vulnerable multi sig wallet is deployed and funded with 100k ETH. It is recommended to use Truffle for deployment
  • The repo should have README.md file, that explains the objective of the hacker challenges (take the text above, and also the specific challenge descriptions below)
  • Create test scripts that verify if the challenge 1 and 2 have been completed. Users run the tests to check, if they have succeeded
  • Create a writeup on how the challenges can be solved
  • Bonus Goal: Alter the vulnerabilities in the MultiSig wallet in a slight way, so that explotation of the flaws can not just be copied from the post-mortem sources of MultiSig wallets. During the review, if several members implement the previous points in equally good way, we will give a small preference to that submission, if any, which achieves this bonus goal.

Hacker Challenge 1

You are the security engineer of project Avalanche. News breaks that there is a vulnerability that allows attackers to withdraw all funds from the MultiSig wallet that project Avalanche is using. The CTO of project Avalanche who has the keys to the wallet is on a silent retreat and does not pick up the phone. After panicking for few moments you realise you have only one choice but to hack the wallet yourself and secure the funds (100k ETH) before someone else does.

Hacker Challenge 2

You have managed to secure the funds for project Avalanche successfully. Things have been running smooth and you have migrated the funds back into the patched MultiSig wallet. One day you stumble upon a Reddit post from someone who claims that they can lock up all the funds in Parity MultiSig wallets. After reviewing the code WalletLibrary you realise that there is something to it. Nobody has exploited the vulnerability yet. The CTO of project Avalanche who has the keys to the wallet is on a diving trip and does not pick up the phone, you must act quickly. What can you do to secure the funds and prevent an attacker from locking up all your ETH.

Final Submission Guidelines

Submit as the a ZIP file the code of repository you have created (i.e. no need to actually publish prepared repo to GitHub yet, just submit its entire code, including .git folder), and the writeup on how to solve the challenge (this should be separate from the repo).

Reliability Rating and Bonus

For challenges that have a reliability bonus, the bonus depends on the reliability rating at the moment of registration for that project. A participant with no previous projects is considered to have no reliability rating, and therefore gets no bonus. Reliability bonus does not apply to Digital Run winnings. Since reliability rating is based on the past 15 projects, it can only have 15 discrete values.
Read more.

ELIGIBLE EVENTS:

2018 Topcoder(R) Open

REVIEW STYLE:

Final Review:

Community Review Board
?

Approval:

User Sign-Off
?

CHALLENGE LINKS:

Review Scorecard

?