The next puzzle in the series continues challenging players to empty DeFi lending pool through any means necessary. Here is the challenge:

A surprisingly simple lending pool allows anyone to deposit ETH, and withdraw it at any point in time.This very simple lending pool has 1000 ETH in balance already, and is offering free flash loans using the deposited ETH to promote their system.You must steal all ETH from the lending pool.

The challenge.js file performs basic setup on the vulnerable pool contract and deposits some initial balance:

Let’s take a look at the SideEntranceLenderPool contract to see if we can spot any…


Let’s dive into the next challenge called Truster in the OpenZeppelin’s fun wargame:

More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free.Currently the pool has 1 million DVT tokens in balance. And you have nothing.But don't worry, you might be able to steal them all from the pool.

The challenge sets up a lending pool instance of TrusterLenderPool and deposits 1M ETH:

The TrusterLenderPool has a single function called flashLoan which can lend any requested amount to the borrower address as long as that amount is returned by the end of the…


Continuing our exploration of the Damn Vulnerable DeFi wargame, the next puzzle is called Naive receiver. It challenges players to drain a DeFi user’s account:

There's a lending pool offering quite expensive flash loans of Ether, which has 1000 ETH in balance.You also see that a user has deployed a contract with 10 ETH in balance, capable of interacting with the lending pool and receiveing flash loans of ETH.Drain all ETH funds from the user's contract. Doing it in a single transaction is a big plus ;)

The challenge file sets up a lending pool and a user receiver contracts. The receiver contract is configured with the lending pool address so that it could interact with…


Damn Vulnerable DeFi is an Ethereum smart contract wargame developed by @tinchoabbate from OpenZeppelin. The competition includes 8 unique challenges educating players about various DeFi vulnerabilities.

Image for post
Image for post

In this article, I will share basic set up steps to get you started on the challenges and go over the first challenge.

Wargame Setup

To begin playing the wargame, you have to set up your local environment first. Start by cloning the challenges repository from Github and installing Node dependencies:

% git clone https://github.com/OpenZeppelin/damn-vulnerable-defi.git
% cd damn-vulnerable-defi
% npm install

Once you install all of the dependencies you can test the environment by listing available challenges as…


Last week I had a lot of fun with the latest blockchain investigation competition put together by folks at Anchain. The competition spanned two weeks and included a number of questions challenging players to dig through Ethereum blockchain transaction and smart contract data. In addition to many freely available tools, participants were also offered a free license of Anchain’s CISO blockchain analytics platform which made the analysis a lot easier.

Image for post
Image for post

In this writeup I will discuss blockchain analytics tools, techniques, and lessons learned while solving challenges. I will only focus on solving the last (and hardest) challenge investigating the infamous exit scam and the eventual return of funds by SushiSwap’s Chef Nomi back in September, 2020. My goal is to share the investigation steps so that you, the reader, would also be inspired to participate in future contests or may be even make this your future career. Check out my Blockchain Threat Intelligence newsletter for ideas on how to contribute to this field. …


On November 5th, 2019 I had a great experience attending a new conference in the Bay Area called Disclosure. Even though this was its first year, Disclosure gathered an amazing speaker line up including Katie Moussouris, Dan Kaminsky, Jennifer Granick, Juan Andres Guerrero-Saade and many others.

Image for post
Image for post
Disclosure 2019 hallways

The conference reserved a beautiful venue at Westin St. Francis hotel with a single large ballroom for the talks. The hallways leading to the event were lit up in a futuristic purple light with a number of posters with various ciphers for the scavenger hunt competition:

Image for post
Image for post

Defcon 27 featured a Blockchain Security Village with a number of excellent talks and contests. During the event, I had the pleasure of competing and winning a smart contract security CTF called Chain Heist. The contest was sponsored by Synopsys and featured 23 challenges of varying difficulty.

The write up below will cover information about the game as well as solutions for some of my favorite challenges.

The Interface

One of the highlights of the game was a beautiful interface which was built as an Ethereum DApp capable of automatically deploying contracts for each player. …


We are pleased to announce the completion of our Blockchain Security competition — Capture the Coin. Our mission was to promote the field of blockchain security and educate players in the areas of cryptography, smart contracts, forensic analysis, malware, and others. We are excited that so many of you participated and hopefully inspired to join the good fight to make the future open financial system safer for all.

Prizes

The prize for all of the top contest participants is a custom laser etched steel wallet. …


https://capturethecoin.org
https://capturethecoin.org

Do you enjoy solving puzzles? Are you into cryptography, learning the nitty gritty details of various blockchain implementations, smart contracts, and cryptocurrency wallets? If you answered “yes” to any of these questions then you might have what it takes to Capture the Coin, a capture-the-flag-style competition by the Coinbase Security team.

Tackle various challenges at the intersection of cryptocurrency and security fields including blockchain investigations, crypto-stealing malware, smart contract and bitcoin script exploitation, various cryptography puzzles, and plenty of trivia.

We invite everyone to join us to have some fun, solve challenges, and win a very unique prize!

The Capture the Coin competition will open on August 9 at 10am PST. You can play online and at Defcon’s Blockchain Village. Also join us for the contest kick off talk on August 9 at 11:40am PST. …


By Jeremiah O’Connor and Peter Kacherginsky

In Electrohunt Part 1, we outlined the recent phishing and malware campaigns targeting the Bitcoin Simple Payment Verification wallet Electrum. In this portion we will discuss the continued onslaught by these financially motivated criminals on the Electrum network and its users. We will analyze some of the different actors and trends we are seeing as of late in the criminal cryptosphere. …

About

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store