2nd Solidity Underhanded Contest
After a three year wait, the second edition of the sneakiest contest in the land of smart contracts is upon us! Welcome…
The Second Underhanded Solidity Contest
_* Clamoring is heard at distance. Claps and approval screams all around. *_
Come one, come all. Your chance to prove your worth at the black hat arts of development is here.
What is the Underhanded Solidity Contest?
The goal of the contest is to provide an avenue for developers and Solidity language users from all backgrounds to expose unclear flaws and subtleties of the Solidity compiler and the EVM.
From the landing page of the contest:
The goal of this contest is to write innocent-looking Solidity code, which pretends to be clear and straightforward, but actually contains malicious behavior or backdoors.
In fact, when participating, not only are you putting your malicious creativity to good use but you are effectively advancing the state-of-the-art of the EVM and EVM-compilable languages. In essence, you are making the ecosystem more secure for all of us.
We need you.
When will the Underhanded Solidity Contest be happening?
Submissions are open on October 1st 2020 and close on October 31st 2020. 🛠
Where can I find more about the Underhanded Solidity Contest?
You can find more information on the official contest page at https://underhanded.soliditylang.org.
Where can I start researching for my submission?
A good place to start your research would be to look at the submissions of the first edition of the contest. The compilation of the submissions and the judges assessments can be found in this Medium blog post.
Generally speaking, you should strive to make your code as simple as possible. Simplicity is not only a goal of the contest and assessment metric but also the greatest tool in your arsenal when building these vulnerable pieces of code.
As we can see in the USCC 1st edition runner-up submission from Richard Moore, the most elegant your code is, the more threatening it looks! 😱
We can also see that the submissions for the previous edition are less about on-chain flaws but rather about EVM quirks that make a certain piece of code behave unexpectedly in the eyes of the on-looker. In the case mentioned above, this boils down to the impossibility of refusing ETH transfers between accounts, EOAs, or not.
There is, however, a slightly different route like the one taken by Martin H. Swende. In his winning submission, Martin took advantage of an actual compiler quirk while handling ABI-encoded dynamic-length arrays. He did not rely on an EVM-specific quirk.
All in all, whether relying on an EVM or compiler quirk, the best advice I can give is to focus on something that makes you “feel funny” while developing with Solidity on the EVM and leverage that until you reach an exploitable state. 👹
ConsenSys Diligence will also be involved in the contest.
Firstly, we will be sponsoring the contest with two prizes:
- A 1-year Pro MythX license (worth $2499 😱 🎉)
- A 1-year Dev MythX license (worth $499 😱 🎉)
And secondly, I (Gonçalo) will be judging the submissions to the contest.
May the Force be with all of you, new and experienced Jedi. I’m looking to see some underhanded masterpieces! 👀
Thinking about smart contract security? We can provide training, ongoing advice, and smart contract auditing. Contact us.