List of CTF in Ethereum world

I'd like to maintain a list of ctf related to solidity smart contracts. (both testnet and mainnet) You have to install Metamask plug-in in your browser.

CTF in Ropsten

• Capture the Ether
• OpenZeppelin Ethernaut
• ChainShot
• Security Innovation Blockchain CTF
• CTF developed by Reddit user u/wadeAlexC (Deployed from Jun-23-2018 to Sep-16-2018)
  • Original contracts
    • PART1 - FunctionTypes
    • PART2 - SafeExecution
    • PART3 - HoneyPot
    • PART4 - FinePrint
• CTF developed by Reddit user u/eththrowaway4 (Deployed on Jul-02-2018)
  • Original contract
    • 0x0dAabcE0a1261B582e0d949EbCA9DFf4c22C88ef

CTF in Mainnet

• CTF developed by pvienhage (Deployed on Nov-29-2018)
  • Original contracts
    • 0x7cd03C9f1D2dc95358B1992e9afc857aeaab45D5 (0.25 ether, GONE) Source Code
    • 0x8bd25c23d1d01e3216f3410146153f14775dbb6f (0.5 ether, GONE)
    • 0xf278b6fcbc091640082475d36db19da5123da79e (1 ether, GONE)
  • Walkthrough by author
• CTF developed by p4d (Deployed on Dec-07-2018)
  • Original contract
    • 0x661a64DcC2f04117D0F8A919E2aC66aF8d401d6 (1 ether, GONE)
    • Source Code (Bot stole the prize)
    • Safe Version (Use of OneTimeToken)
• CTF developed by ConsenSys Diligence (Deployed on Feb-26-2019) (The first of a series)
  • Announcement
  • Original contract
    • 0x68Cb858247ef5c4A0D0Cde9d6F68Dce93e49c02A (GONE, resolved by @samczsun)
    • Solution writeup written by samczsun (200 DAI bounty reward)

LOCAL CTF

• DamnVulnerableDeFi
  • Website
  • Repo
• Paradigm CTF 2021
  • Repo
• Paradigm CTF 2022 (TBA)
  • Website

CTF-BOT Resistant

I developed a simple utility contract, OneTimeToken (OTT), for mitigate the issue regard CTF and every contracts where a malicious user or bot could listen on blockchain and wait to find useful info, for instante to discover the input parameters needed to call functions for winning a CTF and create the same transaction with higher gas fees.

The contract OneTimeToken.sol is similar to Ownable.sol developed by OpenZeppelin, but it includes the way to request a token access for a fixed time (15 minutes by default), it also can be changed by contract owner. In this way only the owner of token access can do some sensitive function calls until the token access expired and someone else request it.

Implementation

pragma solidity ^0.5.0;
import 'https://github.com/PumpkingWok/CTFGym/contracts/OneTimeToken.sol';
contract CTF is OneTimeToken {
  function resolveCTF(solution) onlyTokenOwner {
  }
}

Every ctf creator, for instance, could use it in easy way only including ´onlyTokenOwner´ in sensitive functions.

The user that find the solution to the challenge, can call resolveCTF(solution) in safe mode having token access (requestTokenOwner() in OTT).

Resources

• Solidity Official Documentation
• CryptoZombies smart contracts courses
• Program the Blockchain
• Mythril Classic: Security analysis tool for Ethereum smart contracts
• Consensys Smart Contract Security Best Practices
• Ethereum Explained: The EVM (video)
• EVM Codes (EVM playground)
• EVM Deep Dives (made by noxx)
• EVM Puzzles (made by fvictorio)

Contribute

You feel free to collaborate in any way, it would be much appreciated.