Last month, ETHworks put together a really fun smart contract contest where players competed to solve all the clues and unlock a 7 ETH reward. While I did not win, I had an absolute blast participating in it and wanted to share my notes in case you want to learn about password cracking and smart contract hacking techniques. If that sounds interesting to you, let’s dive right in.
The address contained a simple smart contract which challenged anyone to guess a plaintext for a stored hash which was hashed twice with KECCAK-256:
The hash was initialized at contract deployment time and could be easily looked up in Etherscan:
The contract itself was interesting in the way it protected players against front-running attacks by first requiring a commit() transaction with a solution hashed once using KECCAK-256, followed by the actual reveal() after a 10 block delay.
My initial approach to solving the puzzle was to load a slightly modified version of the contract on Remix in order to save on gas fees and to keep attempts private:
The modification, simply disables the commit step so I could freely experiment with different solutions. Next, I have initialized the contract with the same hash value as the original: