| Yvette Johnson on Thu, 17 Aug 2017 02:16:45 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: <nettime> Underhanded Solidity Coding Contest |
Near the Freer (DC) Re-opening to visitors October 14-15 Yvette, '91 Sent from my iPad > On Jul 4, 2017, at 6:13 AM, Felix Stalder <felix@openflows.com> wrote: > > > ./ Underhanded Solidity Coding Contest > These are not the backdoors you are looking for. > > http://u.solidity.cc/ > > 1st Underhanded Solidity Coding Contest > > The Underhanded Solidity Coding Contest is a contest to write harmless > looking Solidity code that conceals a hidden purpose. A good USCC entry > looks like a clearly and straightforwardly written smart contract, but > contains well disguised vulnerabilities that ensure its actual operation > differs significantly from what the reader would expect. The USCC is > inspired by the similar Underhanded C Coding Contest. > > Theme > > The theme for the first contest is “ICOs”. > > You are the lead developer of a groundbreaking new product, Merdetoken > (MDT). Investor demand has been heavy, and soon you plan to announce an > initial distribution of coins to the eager public. > > Unfortunately, investors are getting more demanding, asking projects for > assurances such as payout contracts that release funds over time and > require the approval of investors, and smaller caps with better pricing > mechanisms. All of this significantly impacts your master plan to take > in a hundred million dollars in token sales and then retire to a nice > island, saddling your intern with the task of actually writing something > - eventually. > > But you will not be deterred. Being well versed in solidity and > sneakiness both, you’re confident you can come up with a tokensale > contract that will pass the most careful audit, but still allow you to > quickly retire to your tropical paradise with your ill-gotten gains. > > Brief > > Entrants must write a contract that in some way relates to ICOs - such > as an ERC20 token contract, a contract for selling tokens, or one that > conditionally pays funds out to project creators - with some critical > vulnerability that can be exploited to enrich the project creators. > > Examples might include: > > - A crowdsale contract that allows certain participants to get more > tokens than they ought to. > > - A disbursement contract that lets the project creators withdraw all > the funds at once. > > - A token contract that allows stealthy creation of additional tokens. > > Rules and Scoring > > Submissions that are shorter and cleaner will be scored higher than > those that are lengthy and complicated. It’s easy to hide a > vulnerability in complex and poorly written code; far harder to hide it > in clean and simple code. > > Bugs are worth more points if, once discovered, they can be plausibly > dismissed as coder error. > > An error that arises from users misinterpreting code (such as confusing > scoping, misleading variable names, etc) is just as valuable as one that > exploits the language or the EVM itself. The goal is simply to pass > inspection by a human. > > Remember to consider plausibility. Code that drops down to inline > assembly without any clear reason why will look immediately suspicious, > no matter how cleverly written the assembly-level flaw is. > > Submission guidelines and deadline > > Email submissions to underhanded-submissions@solidity.cc. Entries should > consist of a ZIP file containing a README describing your submission and > how it works (spoilers included), and one or more Solidity files. > > The entirety of your entry must be submitted under the Creative Commons > Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license. You must not > submit anything that cannot be submitted under that license. > > Judges will compile your code using a recent version of Solidity. You > may specify a particular version in your source files - but you should > expect this to raise some major red flags with the judges. > > Each person may enter only once. If you wish to make a team submission, > nominate a single person to submit on your team’s behalf. > > Please do not include identifying information in the ZIP file; entries > will be sent to judges anonymously. > > July 1, 2017: Submissions open > July 31, 2017: Submissions close > September 1, 2017 or before: Winners announced > Frequently Asked Questions > > Who can participate > > Anyone over the age of 13 except the judges and the organiser, Nick > Johnson, and those who live in areas where contests of this kind are > prohibited. > > Why are you doing this? > > Writing secure code is as much about behaving in a way users expect as > it is about the technical aspects of software engineering, and ‘hacking’ > is as much about exploiting differences between expected behaviour and > real behaviour as it is about finding an exploiting bugs. We want to > highlight this discrepancy, and make people think hard about how things > actually work. In the process, we hope people will learn more about > writing secure software, and establish new guidelines and best practices > to help reduce the risk of ‘underhanded’ coding adversely affecting a > real project. > > Are you encouraging people to be evil or underhanded? > > No - quite the reverse. Our goal is to highlight anti-patterns in smart > contract development, so people are more aware of and can avoid the > pitfalls when writing and reviewing smart contract code. > > Judges > > Judging this first contest are: > > - Christian Reitwiessner, Solidity lead developer > - Matthew Di Ferrante, Security engineer & code auditor > - Raine Revere, Prism lead architect > - Reto Trinkler, Melonport CTO > - Yudi Levi, Localcoin CTO > > Judges are presented with anonymised submissions, and provide scores and > commentary. The scores across all judges will be aggregated to determine > the final score of each entry. > > Prizes > > The Ethereum Foundation has contributed a Devcon3 pass and an > opportunity to present your winning entry, which the contest is offering > as a first prize. > > Second place prize is 10 MLN tokens from Melonport. > > Contest void where prohibited by law. If your jurisdiction requires you > to pay taxes on prizes or imposes other restrictions, it’s up to you to > adhere to those. Every attendee to Devcon3 must comply with and be > subject to the terms and conditions and code of conduct of Devcon3 and > this includes those who attend through the grant of this prize. > > The judges may, at their discretion, nominate any number of additional > ‘honorable mentions’ for examination and approbation on the website. > > Anyone wishing to offer additional prizes, or with questions about the > contest, should email underhanded@solidity.cc. > > -- > > ||||||||||||||||||||||||||||||||| http://felix.openflows.com > |OPEN PGP: https://pgp.mit.edu/pks/lookup?search=0x0C9FF2AC > > # distributed via <nettime>: no commercial use without permission > # <nettime> is a moderated mailing list for net criticism, > # collaborative text filtering and cultural politics of the nets > # more info: http://mx.kein.org/mailman/listinfo/nettime-l > # archive: http://www.nettime.org contact: nettime@kein.org > # @nettime_bot tweets mail w/ sender unless #ANON is in Subject: # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject: