Underhanded Underhanded Contest

The Underhanded Solidity Contest 2020 is over!

Read about the winning submissions in the 2020 winner announcement or check out all submissions in here.

The goal of the Underhanded Soldity Contest is to write innocent-looking Solidity code, which pretends to be clear and straightforward, but actually contains malicious behavior or backdoors.


Cubes Illusion

Theme

This year's theme is upgradable contracts, or, more specifically, upgrade mechanisms.

Upgrades are a frequently used practice and are often necessary, e.g. to fix bugs in smart contracts. The problem with upgrades lays in the fact that, most times, users aren’t presented with the upgrade beforehand and no consent is needed from the users to execute it. Upgrade mechanisms are often designed such that a single account has the ability to change the code arbitrarily. However, a smart contract in which a single account is authorised to arbitrarily change its implementation defeats the idea of decentralization.

Come up with an upgrade mechanism that seems fair and safe (e.g. by implementing an opt-out mechanism or a way to split the contract) but has a flaw or backdoor. The backdoor should be hard to discover and, in the best case, results in a single account having full control, even if it does not seem like it.

To keep submissions reasonably sized, the contract that is actually to be upgraded should be very small, e.g. an ERC20 contract or a simple registry. Note that the flaw should be in the upgrade mechanism, not in the main contract - you do not have to come up with a reason to actually upgrade the contract, but a little “story” around the hack is always nice, too.

Triangle Illusion

Judges

Judges are presented with anonymised submissions. The submissions will be assessed by:

  • Alex Beregszaszi, Solidity Co-Lead at Ethereum Foundation.
  • Austin Williams, Security Researcher at OpenZeppelin.
  • Christian Reitwiessner, Solidity Co-Lead at Ethereum Foundation.
  • Gonçalo Sá, Security Engineer at ConsenSys Diligence.
  • Stefan Beyer, Lead Auditor at Solidified.
Zeta Illusion

Prizes

The prizes are sponsored by several Ethereum-related security projects as well as the Ethereum Foundation. Each winner, starting with the 1st place, can choose a prize from the pool.

Furthermore, the winners and all qualified submissions will receive a custom NFT.

Coding Brief & Guidelines

All you need to know about contest participation and submission!

Brief

Design an upgrade mechanism that looks “safe” (with opt-in/opt-out option) but has a backdoor. This means that users should believe that they have control over the upgrade process, either by opting out of the upgrade, splitting the contract or something similar, but in fact, the deployer still has some form of control. The main contract is not important and should be as small as possible.

Plausibility & Originality

Remember to consider plausibility. Code that drops down to inline assembly without any clear reason why will look immediately suspicious, no matter how cleverly written the assembly-level flaw is.

In addition to that it's needless to say that truly original ideas will receive more points than making use of already well known exploit/backdoor mechanisms.

Simplicity is key!

Submissions that are short and clean will be scored higher than those that are lengthy and complicated. It’s easy to hide a vulnerability in complex and poorly written code; far harder to hide it in clean and simple code.

Timeline

Make sure to send submissions before the end of the deadline.

Submissions open on 2020-10-01.
Submissions close on 2020-10-31.
Winners will be announced by the end of November.

Open-Source License

The entirety of your submission must be licensed under an open-source license. You must not submit anything that cannot be published.

Solidity Version

It is highly encouraged to use Solidity v0.7.0 or newer. If you want to use a version of the 0.6 series, please make sure to not make use of flaws that have been fixed in 0.7. Don't use versions older than 0.6

Submission & Participation 📩

Please email your submissions before the deadline (2020-10-31) to sol_underhanded@ethereum.org. Entries should consist of a ZIP file containing a README describing your submission and how it works (spoilers included), and one or more Solidity files.

Each person can only enter one submission. If you want to make a team submission, nominate a single person to submit on your team’s behalf. Since entries will be forwarded to the judges and assessed anonymously, please do not include identifying information in the ZIP file.

Who can participate?

Anybody over the age of 18 can participate. Judges and organizers of this contest are excluded from participation. If your jurisdiction requires you to pay taxes on prizes or imposes other restrictions, please make sure to adhere to those. If taking part in such contests is prohibited in your area please adhere to your local laws.

About 📖

Inspired by the Underhanded C Contest and the first Underhanded Solidity Contest, organized in 2017 by Nick Johnson, in 2020 the Solidity team decided that it is time for a revival. We hope this contest will get the traction it deserves in which case we could consider turning it into a recurring event.

The Underhanded Solidity Contest aims to:

  • Raise awareness about smart contract security.
  • Uncover language design faults.
  • Battle-test recently introduced language features and restrictions.
  • Highlight anti-patterns in smart contact development.
  • Establish new best practices for secure smart contract development.
A big thank you to ConsenSys Diligence, Solidified, OpenZeppelin, and the Ethereum Foundation for contributing prizes, supporting with judging and all their input!

Get in touch 📮

You have questions, want to get involved by sponsoring a prize, help with judging or propose a theme for the next Underhanded Solidity Contest? Then feel free to reach out to us!