Blockchain CTF Challenge
Drum Roll Please...
And the WINNERS are:
First place: <script>alert(1)</script> - $300 reward
smarx - $50 reward
tec - $50 reward
Ping - $50 reward
Additionally, two other players who had created accounts during the competition were selected at random to receive an additional $50 reward.
As you can imagine, delivering prize money without any way to contact our contestants could present a bit of a challenge. Luckily, by competing in the CTF and creating Metamask wallets, our winners had already provided us with everything we need to send them their prizes: a wallet address.
These addresses come in the form of a long hex string (i.e.
0xdcb37036c66bc6a5a19ccf0dbc0253e584499954) and are all that is necessary to identify a wallet when sending assets on the blockchain.
Using these addresses, we can ensure that the competitors will be able to claim their reward. Even though the accounts were created on the Ropsten testnet, the private keys in Metamask can easily be used to generate identical wallet addresses on the Ethereum mainnet.
Originally, our plan was to distribute the reward as the DAI token, a decentralized stable coin mapping 1:1 US dollar. The problem with this is that in order for the winners to then claim their DAI and send it to another account, they would need a small amount of ETH in their account to pay the transaction fee. Since these accounts were assumed to be only used on the Ropsten
testnet, this creates a bit of a hassle for our players.
Having seen the recent successes of the Burner Wallet (https://xdai.io) at ETHDenver, we decided to distribute our rewards as xDai tokens via the POA Network instead. These xDai tokens exist on a side chain and are 1:1 mapped to DAI that is deposited and redeemed in a Ethereum mainnet smart contract.
that the side chain uses xDai as its native currency and can thus pay all transaction fees (fractions of a penny per transaction) in xDai. This way our winners don't need to move any ether in order to send their reward to the wallet of their choosing.
We received a ton of great feedback on our competition over the week. In the interest of continuous-improvement, we want to address two ways in which we look forward to improving future contests.
1) Start Everyone from Square One
Some of our challengers had pointed out that there was an unfair advantage to anyone who had solved the previous 11 challenges before the challenge began. We agree that this was not ideal. To remedy this, we plan on launching all new challenges as stand-alone applications so that everyone can start from a level playing field.
2) Ropsten Faucets were Dry
Where Can I Learn to Hack Smart Contracts?
This course will cover:
How to utilize DApps built on Ethereum smart contracts and Web 3.0
How to write, test, deploy, and exploit a Solidity smart contract.
You can Sign-up today at https://ubm.io/2SSHrx0.
Early registration ends May 24.
Mick Ayzenberg is a senior security engineer at Security Innovation. He is the head of the Blockchain Center of Excellence (COE) and is the creator of the "Intro to Hacking Blockchain Applications and Smart Contracts" course at Blackhat Las Vegas. Tickets for the training are available at: https://www.blackhat.com/us-19/training/schedule/#an-introduction-to-hacking-blockchain-applications-and-smart-contracts-13991
You can read more about Blockchain in our Blockchain COE https://www.securityinnovation.com/about/centers-of-excellence/blockchain-center-of-excellence/