Solidity Underhanded Contest

The Solidity Underhanded Contest is finally back!

The goal of this contest is to write innocent-looking Solidity code, which pretends to be clear and straightforward, but actually contains malicious behavior or backdoors.


Cubes Illusion

Theme

This year's theme is upgradable contracts, or, more specifically, upgrade mechanisms.

In order to fix bugs in smart contracts, it is often necessary to perform upgrades. The problem with upgrades is that there is no feasible automatic mechanism to control that the new code still does what the old code intended to do. Because of that, upgrade mechanisms are often designed such that a single account has the ability to change the code arbitrarily. Since a smart contract in which a single account is authorized to arbitrarily change its implementation defeats the idea of decentralization, we would like to use this contest to find mechanisms that are better suited, be it via an opt-out mechanism, a way to split the contract or whatever else you can come up with. At the same time, this mechanism has to have a flaw or backdoor that is not easy to discover so that in the end, there is still a single account in control, even if it does not seem like it.

To keep submissions reasonably sized, the contract that is actually to be upgraded should be very small, e.g. an ERC20 contract or a simple registry. Note that the flaw should be in the upgrade mechanism, not in the main contract - you do not have to come up with a reason to actually upgrade the contract, but a little “story” around the hack is always nice, too.

Triangle Illusion

Judges

Judges are presented with anonymised submissions. The submissions will be assessed by:

  • Alex Beregszaszi, Solidity Co-Lead at Ethereum Foundation.
  • Austin Williams, Security Researcher at OpenZeppelin.
  • Christian Reitwiessner, Solidity Co-Lead at Ethereum Foundation.
  • Gonçalo Sá, Security Engineer at ConsenSys Diligence.
  • Stefan Beyer, Lead Auditor at Solidified.
Zeta Illusion

Prizes

The prizes are sponsored by several Ethereum-related security projects as well as the Ethereum Foundation. Each winner, starting with the 1st place, can choose a prize from the pool.

Furthermore, the winners and all qualified submissions will receive a custom NFT.

Coding Brief & Guidelines

All you need to know about contest participation and submission!

Brief

Design an upgrade mechanism that looks “safe” (with opt-in/opt-out option) but has a backdoor. This means that users should believe that they have control over the upgrade process, either by opting out of the upgrade, splitting the contract or something similar, but in fact, the deployer still has full control. The main contract is not important and should be as small as possible.

Plausibility & Originality

Remember to consider plausibility. Code that drops down to inline assembly without any clear reason why will look immediately suspicious, no matter how cleverly written the assembly-level flaw is.

In addition to that it's needless to say that truly original ideas will receive more points than making use of already well known exploit/backdoor mechanisms.

Simplicity is key!

Submissions that are short and clean will be scored higher than those that are lengthy and complicated. It’s easy to hide a vulnerability in complex and poorly written code; far harder to hide it in clean and simple code.

Timeline

Make sure to send submissions before the end of the deadline.

Submissions open on 2020-10-01.
Submissions close on 2020-10-31.
Winners will be announced by the end of November.

Open-Source License

The entirety of your submission must be licensed under an open-source license. You must not submit anything that cannot be published.

Solidity Version

Please use Solidity v0.7.0 or newer.

Submission & Participation 📩

Please email your submissions before the deadline (2020-10-31) to sol_underhanded@ethereum.org. Entries should consist of a ZIP file containing a README describing your submission and how it works (spoilers included), and one or more Solidity files.

Each person can only enter one submission. If you want to make a team submission, nominate a single person to submit on your team’s behalf. Since entries will be forwarded to the judges and assessed anonymously, please do not include identifying information in the ZIP file.

Who can participate?

Anybody over the age of 18 can participate. Judges and organizers of this contest are excluded from participation. If your jurisdiction requires you to pay taxes on prizes or imposes other restrictions, please make sure to adhere to those. If taking part in such contests is prohibited in your area please adhere to your local laws.

About 📖

Inspired by the Underhanded C Contest and the first Underhanded Solidity Contest, organized in 2017 by Nick Johnson, in 2020 the Solidity team decided that it is time for a revival. We hope this contest will get the traction it deserves in which case we could consider turning it into a recurring event.

The Solidity Underhanded Contest aims to:

  • Raise awareness about smart contract security.
  • Uncover language design faults.
  • Battle-test recently introduced language features and restrictions.
  • Highlight anti-patterns in smart contact development.
  • Establish new best practices for secure smart contract development.
A big thank you to ConsenSys Diligence, Solidified, OpenZeppelin, and the Ethereum Foundation for contributing prizes, supporting with judging and all their input!

Get in touch 📮

You have questions, want to get involved by sponsoring a prize, help with judging or propose a theme for the next Solidity Underhanded Contest? Then feel free to reach out to us!