Blockchain CTF v2? Who’s up for the Challenge?
Since we original launched the Security Innovation Blockchain CTF in April 18', we have been blown away by the participation we've seen. With hundreds of unique players and almost two thousand transactions to our smart contract, it’s clear that the demand for educational resources in the field of smart contract security is larger than ever.
Today we are excited to announce the next iteration of our capture the flag. While on the surface the platform will look similar, aside from the 4 brand new challenges that have been added, there's a lot that has changed behind the scenes. Through this process, we've learned a lot of lessons about developing decentralized applications that we're happy to share with you.
New Upgradeable Game Contract
The competition is hosted primarily by a smart contract responsible for managing players, deploying individual challenges, and calculating scores. One of the properties of smart contract technology is that once a contract has been deployed, it cannot be changed. In order to make an upgrade, a brand new contract must be deployed. Unfortunately for us, this means that data stored in the previous contract won't necessarily be carried over to version 2.0.
We made a ton of improvements to the game harness with this latest update, so a new deployment was necessary. In our case, we decided to label all previous scores from the original contract as (legacy) scores. This way those participants will still remain on our hall of fame, but new scores will only be tallied from the 2.0 contract.
To make sure this (hopefully) doesn't happen again, we deployed our v2.0 contract with the popular delegatecall upgradeability model. Essentially, we have split our contract into two pieces: A proxy contract that stores all the data (players, game instances, etc.) and a contract responsible for all of the functionality (register, launch a game, etc.).
With this pattern, we use the delegatecall opcode to run functions defined in the second contract with the state context of the proxy. If we ever want to make a future upgrade, we can call a function defined in the proxy to change which contract it points to for functions. This way the next version of the CTF will hopefully carry over all players and score information.
The delegatecall/proxy architecture has its advantages, but it isn't a one-size-fits-all solution for contract upgradeability. For one thing, the layout of the storage must stay consistent between upgrades, so making changes to any of our data model (say adding a new field to our User object) may be challenging. Additionally, it does require creating a privileged role that can upgrade, which may violate some of the assumed guarantees around the smart contract decentralization. That being said, for our intents and purposes this model appears to be the best solution so that hopefully incremental upgrades can be made without requiring a version 3.0.
Changes to Game Mechanics
As previously mentioned, without a built in upgradeability model, any small iterative changes we've wanted to include had to be postponed until the version 2.0 release. With this release, we've finally been able to make some of the small changes that will make the game experience better for the users.
Changes to Fees - Playing a challenge requires the user seed each game with ropsten ether (fake cryptocurrency) so that they can steal it back from the challenge contract and earn leaderboard points. This upfront registration fee has been replaced with individual seeding amounts that are required when launching each individual game. This way user's won't need to request too much ropsten ether from the faucet up front. This also means that new challenges can be added much easier without a risk of incorrect fund states or contract insolvency.
Changes to Game Launching - Several improvements have been added to the workflow of launching a new challenge. Seeding a challenge with funds is now included as part of the launch transaction. Our launcher contract has been restructured so that games can be launched in any order. Finally, relaunching capabilities have been added so that putting your challenge contract into a weird state will not limit the points you can receive.
Challenge Harness Restructure - Basegame.sol has been simplified and renamed to better represent as a harness for scoring automation. Additionally, each of the challenges have been upgraded to Solidity v0.4.24 so that a more current Solidity compiler could be used when attacking the contracts. Solidity v0.5 was considered, however, since this new update includes mandatory changes (such as new explicitness requirements) that affect the applicability of some of our vulnerabilities, it was decided to stay with 0.4.x for now. On that note, if you happen to be writing a production smart contract, we recommend you upgrade to Solidity v0.5.x. ;)
With these changes we expect the end-to-end CTF experience to be much more straight forward for our players.
Partnership with ConsenSys Diligence and Mythril Classic
We are excited to announce that Security Innovation has partnered with ConsenSys Diligence to promote their free and open source tool, Mythril Classic.
Mythril Classic uses symbolic execution to identify and simulate exploitation of smart contract vulnerabilities. It's an essential piece of any smart contract developer or auditor's toolkit and can be a great asset for identifying areas of code that require the most attention.
Keep an eye out for the new Mythril tab to get an in-game tutorial on how to best utilize Mythril Classic so that you can best identify and exploit low-hanging fruit challenges.
Brand New Challenges
Finally, we are super excited to share four new challenges to the site: Rainy Day Fund, Lockbox, Secure Bank, Slot Machine. These new challenges add another 4500 points to the potential high score, leaving previous high scores in the dust. These additions bring the maximum score to a new high of 8500. There shouldn't be any way to get more points than that, though if you can hack the game contract itself, send us an email, we'll have a special prize in store for you!
In its short time on the ropsten network, the Security Innovation Blockchain CTF has proven to be an incredible resource for developers and security experts alike to test their skills with practical exploitation challenges. The feedback we've received while including it in our Blockchain security training course has been phenomenal and we are super excited to continue updating it for the emerging blockchain developer community.
If you are not a blockchain expert but interested in leveraging simulation training to build Application security skills, check out our: CMD+CTRL Cyber Range
Read our Other Blockchain Post Here: https://blog.securityinnovation.com/blockchain-ctf