CTF #2 Final Review

Our Capture the Flag competitions are vital to bringing devs and security researchers to the Hats ecosystem. Through this series of challenges, security researchers of all skill levels can have fun, learn, and earn some great prizes.

Our CTF #2 went from September 22nd to 29th. We received over 50 submissions from all over the world, and we even got some requests to translate future challenges to other languages. We were really happy to see the impact of this CTF and the ongoing support of our dev community.

On chain submission

What sets apart our CTF from any other similar challenge is the onchain component. As a decentralized bug bounty project, our main ethos remains to facilitate decentralized vulnerability disclosure, and through our CTF we are able to use this special feature.

You can learn more about this feature here:

https://www.youtube.com/watch?v=c_jR1Iwp7nE

The Challenge

The challenge consisted of several vulnerabilities found in DeFi. In this case The Vault.sol was deployed with the contract owning 1 ETH of the shares. The mission was to capture the flag by emptying the vault, then calling captureTheFlag with an address you control to prove that you have succeeded in completing the challenge, so that vault.flagHolder returns your address.

There was not an specific way of solving the challenge, but a correct response must have included forcing ETH into the vault using selfdestruct, then re-entering the withdraw/redeem function.

Some of the ways to improve the basic solution would be to do the whole attack in one transaction (to prevent frontrunning), to not deposit anything and do a withdraw of 0 amount, and to not use a flag or a counter for the re-entering but have the fallback function call withdraw with another receiver.

Here’s an example solution from 0x2…A76 / @ttthong, which solved the challenge in a creative way, only using 0.1 ETH for the attack, and re-entring 10 times:

The evaluation process was difficult due to the volume of correct submissions. Because of this, we had to take into consideration different factors that set submissions apart from the rest. Some of the things we looked for were creative thinking, extensive explanations, great code, and suggestions on how to fix those vulnerabilities.

Below are the winners’ wallet addresses! Congrats for this accomplishment. Each winner will be receiving $1,000 in DAI along with a special NFT that will grant access to ongoing initiatives for security researchers. For those that did not win, but submitted an eligible entry, they will also receive an NFT. Minting information will be sent individually to eligible participants.

0x7…803

0x6…8B6

0x2…099

0x3…97A

0x9…fcE

0xF…acC

0xB…4Ad

0x9…acd

0x1…a27

0x2…A76

Major Takeaways

• An accident led us to revealing part of the solution during the CTF. While this was not initially intended, the disclosed part served as a hint and encouraged more people to participate.
• We had more submissions than we expected, which is a great thing, but moving forward we will be more prepared to evaluate more submissions in a shorter period of time.

Your feedback is extremely valuable, as it helps us improve our process and create the best challenges possible. Here are a couple things we will be working on:

• A CTF manager for constant and clear communication.
• Testing of the challenge from users outside of Hats and not participating in the CTF before the challenge. (Let us know if you would like to be part of this!)
• Clear and detailed rules and communication.
• New PR highlighting the contracts covered, adding templates to the reports, and supporting more communication platforms.

Until the next challenge!

Hats Finance