Underhanded Solidity Contest 2024

The submissions for Underhanded Solidity Contest 2024 are open!

The goal of the Underhanded Solidity Contest is to write seemingly innocent and straightforward-looking Solidity code which actually contains malicious behavior or backdoors.

Cubes Illusion

Theme

Based on this year’s theme, the participants are tasked with the challenge to develop smart contracts that leverage transient storage (EIP-1153), i.e. the TSTORE and TLOAD opcodes.

Transient storage is as cheap as warm storage access with both reads and writes priced at 100 gas. It is well-suited for use-cases such as cheap re-entrancy locks.

The aim of USC 2024 is to showcase a transient storage use-case in a way that looks legitimate but contains a hidden vulnerability or manipulation mechanism in the implementation that is exposed because of transient storage.

Things to keep in mind:

  • The compiler does not yet allow using transient as a data location in high-level Solidity code. For the time being, data stored in this location can only be accessed using the TSTORE and TLOAD opcodes in inline assembly.
  • Simplicity is key! The shorter the submission is, the better. For instance, leave out ERC20 functions that do not add value to the objective of the contest.
  • Bonus points if the submission includes a unique and interesting real-world scenario in the readme file.
  • Extra points for a clear and concise explanation of the vulnerability built into your submission.
  • We love being surprised! Explain the vulnerability in a separate file named rugpull.txt or spoiler.txt, so the judges can evaluate the submission without knowing where the malicious code is hidden.
Triangle Illusion

Judges

Judges are presented with anonymised submissions. This year, the submissions will be assessed by:

Zeta Illusion

Prizes

The first place will receive a ticket to Devcon SEA 2024.

The top 3 submissions will receive a ticket to the next Solidity Summit (location and dates TBA)

Furthermore, the three winners will be added to the Board of Fame. The winners and all qualified submissions will receive a custom Underhanded Solidity Contest t-shirt.

Coding Brief & Guidelines

All you need to know about contest participation and submission!

Brief

Build a decentralized app or write a smart contract that looks fair, but can be "manipulated" using transient storage opcodes in inline assembly.

This could be by, e.g., failing to reset the transient storage by the end of the call or breaking the composability of the code. The only hard requirement is that the flaw is hidden.

Plausibility & Originality

Remember to consider plausibility. Code that drops down to inline assembly without any clear reason will look immediately suspicious, no matter how cleverly written the assembly-level flaw is.

In addition to that it's needless to say that truly original and unique ideas will receive higher scores than already well known exploit/backdoor mechanisms.

Simplicity is key!

Submissions that are clear and concise will rank higher than those that are convoluted and verbose. It's easy to hide a vulnerability in complex and poorly written code, but harder to hide in clean and straightforward looking code.

Timeline

Make sure to send submissions before the end of the deadline!

Submissions open: 2024-07-31.
Submissions close: 2024-08-31.

Winners will be announced in time before Devcon SEA 2024 in November.

Open-Source License

The entirety of your submission must be licensed under an open-source license. You must not submit anything that cannot be published publicly on our blog or GitHub.

Solidity Version

Please use Solidity v0.8.24 or higher.

Submission & Participation

Please email your submissions before the deadline [2024-08-31, 11:59PM UTC] to sol_underhanded@ethereum.org. Entries should consist of a ZIP file containing a README describing your submission and how it works [spoilers into a different file!], and one or more Solidity files.

Each person can only enter one submission. If you want to make a team submission, nominate a single person to submit on your team’s behalf. Since entries will be forwarded to the judges and assessed anonymously, please do not include identifying information in the ZIP file.

Who can participate?

Anybody over the age of 18 can participate. Judges and organizers of this contest are excluded from participation. If your jurisdiction requires you to pay taxes on prizes or imposes other restrictions, please make sure to adhere to those. If taking part in such contests is prohibited in your area please adhere to your local laws.

About

Inspired by the Underhanded C Contest and the first Underhanded Solidity Contest, organized in 2017 by Nick Johnson, in 2020 the Solidity team decided that it is time for a revival. Nowadays, the Underhanded Solidity Contest takes place regularly on an annual to bi-annual basis.

The Underhanded Solidity Contest aims to:

  • Raise awareness about smart contract security.
  • Uncover language design faults.
  • Battle-test recently introduced language features and restrictions.
  • Highlight anti-patterns in smart contact development.
  • Establish new best practices for secure smart contract development.

Board of Fame

The Underhanded Solidity Board of Fame lists the winners of all Underhanded Solidity Contests throughout the years.

The first contest was helt in 2017 and evolved around the topic of "ICOs". Read more in the 2017 Winner Announcement.

The topic of the second Underhanded Contest in 2020 was "Upgrade Mechanisms". Read more in the 2020 Winner Announcement.

In 2022, the theme was "Decentralized Exchanges". Read more in the 2022 Winner Announcement.

Year Topic Name Rank
2017 ICOs Martin Swende 🥇
2017 ICOs Richard Moore 🥈
2017 ICOs João Carvalho 🥉
2020 Upgrade Mechanisms Robert M C Forster 🥇
2020 Upgrade Mechanisms Jaime Iglesias 🥈
2020 Upgrade Mechanisms Cory Dickson 🥉
2020 Upgrade Mechanisms Richard Moore 🏅
2020 Upgrade Mechanisms Marius van der Wijden 🏅
2022 Decentralized Exchanges Tynan Richards 🥇
2022 Decentralized Exchanges Santiago Palladino 🥈
2022 Decentralized Exchanges Michael Zhu 🥉

Contact

You have questions, want to get involved by sponsoring a prize, helping with judging or proposing a theme for the next Underhanded Solidity Contest? Then feel free to get in touch!