Last month, ETHworks put together a really fun smart contract contest where players competed to solve all the clues and unlock a 7 ETH reward. While I did not win, I had an absolute blast participating in it and wanted to share my notes in case you want to learn about password cracking and smart contract hacking techniques. If that sounds interesting to you, let’s dive right in.

#0xPOLAND

On November 17th, 2020, while preparing for the next edition of the Blockchain Threat Intelligence newsletter, I ran across an interesting tweet advertising some kind of a smart contract contest:

Image for post
Image for post
https://twitter.com/0xPoland/status/1328616243562156032

The address contained a simple smart contract which challenged anyone to guess a plaintext for a stored hash which was hashed twice with…


The next challenge in the series teaches us about dangers of mixing flash loans and governance systems:

A new cool lending pool has launched! It's now offering flash loans of DVT tokens.Wow, and it even includes a really fancy governance mechanism to control it.What could go wrong, right ?You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: steal them all.

The governance contract described in the challenge implements two functions to queue and execute action proposals. Action queue mechanism verifies that an actor has sufficient votes as follows:

Notice that _hasEnoughVotes obtains token balance using the same vulnerable ERC20Snapshot mechanism described in the previous challenge. This means that as long as the last recorded token snapshot has sufficient balance, one could successfully queue any action. …


Let’s continue our journey of learning about vulnerable DeFi applications. The next exercise, the-rewarder, challenges us to cheat at getting all of the rewards in a stripped down liquidity pool app:

There's a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it.Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards!You don't have any DVT tokens. Luckily, these are really popular nowadays, so there's another pool offering them in free flash loans.In the upcoming round, you must claim all rewards for yourself.

The challenge consists of four different contracts with the following…


The next puzzle in the series continues challenging players to empty DeFi lending pool through any means necessary. Here is the challenge:

A surprisingly simple lending pool allows anyone to deposit ETH, and withdraw it at any point in time.This very simple lending pool has 1000 ETH in balance already, and is offering free flash loans using the deposited ETH to promote their system.You must steal all ETH from the lending pool.

The challenge.js file performs basic setup on the vulnerable pool contract and deposits some initial balance:

Let’s take a look at the SideEntranceLenderPool contract to see if we can spot any…


Let’s dive into the next challenge called Truster in the OpenZeppelin’s fun wargame:

More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free.Currently the pool has 1 million DVT tokens in balance. And you have nothing.But don't worry, you might be able to steal them all from the pool.

The challenge sets up a lending pool instance of TrusterLenderPool and deposits 1M ETH:

The TrusterLenderPool has a single function called flashLoan which can lend any requested amount to the borrower address as long as that amount is returned by the end of the…


Continuing our exploration of the Damn Vulnerable DeFi wargame, the next puzzle is called Naive receiver. It challenges players to drain a DeFi user’s account:

There's a lending pool offering quite expensive flash loans of Ether, which has 1000 ETH in balance.You also see that a user has deployed a contract with 10 ETH in balance, capable of interacting with the lending pool and receiveing flash loans of ETH.Drain all ETH funds from the user's contract. Doing it in a single transaction is a big plus ;)

The challenge file sets up a lending pool and a user receiver contracts. The receiver contract is configured with the lending pool address so that it could interact with…


Damn Vulnerable DeFi is an Ethereum smart contract wargame developed by @tinchoabbate from OpenZeppelin. The competition includes 8 unique challenges educating players about various DeFi vulnerabilities.

Image for post
Image for post

In this article, I will share basic set up steps to get you started on the challenges and go over the first challenge.

Wargame Setup

To begin playing the wargame, you have to set up your local environment first. Start by cloning the challenges repository from Github and installing Node dependencies:

% git clone https://github.com/OpenZeppelin/damn-vulnerable-defi.git
% cd damn-vulnerable-defi
% npm install

Once you install all of the dependencies you can test the environment by listing available challenges as…


Last week I had a lot of fun with the latest blockchain investigation competition put together by folks at Anchain. The competition spanned two weeks and included a number of questions challenging players to dig through Ethereum blockchain transaction and smart contract data. In addition to many freely available tools, participants were also offered a free license of Anchain’s CISO blockchain analytics platform which made the analysis a lot easier.

Image for post
Image for post

In this writeup I will discuss blockchain analytics tools, techniques, and lessons learned while solving challenges. I will only focus on solving the last (and hardest) challenge investigating the infamous exit scam and the eventual return of funds by SushiSwap’s Chef Nomi back in September, 2020. My goal is to share the investigation steps so that you, the reader, would also be inspired to participate in future contests or may be even make this your future career. Check out my Blockchain Threat Intelligence newsletter for ideas on how to contribute to this field. …


On November 5th, 2019 I had a great experience attending a new conference in the Bay Area called Disclosure. Even though this was its first year, Disclosure gathered an amazing speaker line up including Katie Moussouris, Dan Kaminsky, Jennifer Granick, Juan Andres Guerrero-Saade and many others.

Image for post
Image for post
Disclosure 2019 hallways

The conference reserved a beautiful venue at Westin St. Francis hotel with a single large ballroom for the talks. The hallways leading to the event were lit up in a futuristic purple light with a number of posters with various ciphers for the scavenger hunt competition:


Defcon 27 featured a Blockchain Security Village with a number of excellent talks and contests. During the event, I had the pleasure of competing and winning a smart contract security CTF called Chain Heist. The contest was sponsored by Synopsys and featured 23 challenges of varying difficulty.

The write up below will cover information about the game as well as solutions for some of my favorite challenges.

The Interface

One of the highlights of the game was a beautiful interface which was built as an Ethereum DApp capable of automatically deploying contracts for each player. …

About

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store