KIRA Network — Second Security Challenge Summary & Results

Yuri Papadin
8 min readNov 13, 2020

--

KIRA Network Team is pleased to announce the winner and runner-ups of the Second Security Challenge that took place at 12PM UTC on November 11, 2020 and was announced on our Twitter

Participants had a chance to win the Grand Prize — an allocation of 10 ETH worth of KEX and 200 USDT by solving cryptographic and security challenges that were revealed on our official blog at the start of the competition. The main goal of this challenge was to simulate a real life scenario of a Public Auction taking place in adversarial conditions and in a hostile local environment. To achieve this goal, participants were asked to import and start a virtual machine, set up MetaMask, identify the auction deposit address and transfer Kovan Testnet tokens into it.

The rules of the competition stated that only one person can be the finalist along with four runner ups. The key criteria for winning was to exercise and prove your diligence, describe and capture your thinking process, supported by documentation of all executed steps. Time limit was implied to create stress conditions in which participants might be inclined to rush (just like in case of a real auction), while having all of the information required to solve the challenge available to everyone in our publications: Don’t Trust. Verify & Don’t Trust. Verify. Twice.

We decided to reward individuals, who were not in the first place yet still provided correct and sufficiently detailed responses, demonstrating full understanding of the verification and security constraints, with 50 USDT and an allocation spot, which allows to acquire up to 3 ETH worth of KEX tokens. Although it was not possible to edit submissions, it was possible to re-submit results until midnight allowing everyone to learn from their mistakes and potentially provide correct and fully detailed answers after analyzing results of their own submission.

WARNING!!!

SPOILERS AHEAD. IF YOU HAVE NOT YET COMPLETED THE CHALLENGE BUT WOULD LIKE TO LEARN OR TEST YOUR SKILLS, SEE INSTRUCTIONS HERE BEFORE READING ANY FURTHER.

Statistics

In the final statistics we only took into account transactions, which were executed to the correct deposit address from within the provided Virtual Machine. Use of any other environment was not allowed.

All Transfer — First Attempts — Correct vs Incorrect

Out of all challenge solution transactions over 91% failed on their first attempt. In the real life scenario this would result in total and irrecoverable loss of funds. Majority of participants found it difficult to verify the correct deposit address or failed to verify it again just before executing the transfer.

All Submissions — Incorrect Answers Summary

Out of participants who followed instructions, but submitted incorrect answers, almost 52% did not manage to identify the withdrawal address. Participants primarily trusted invalid signatures generated by an account that did not have a verified kira.network DNS. Remaining 44% of failures occurred primarily due to participants not checking addresses in withdrawal transactions before submitting them despite being fully aware of the correct deposit address!

Challenges

The objective of this challenge was to transfer testnet tokens to a specified address and learn from this experience. All tasks had to be followed precisely in order to simulate real life events and for that reason certain relaxed security assumptions had to be accepted by the participants. In real life, if any doubt arises, users must abandon execution of all tasks and attempt recovery of their personal data without turning on their machines. Any suspicion of an attack on trusted sources must immediately result in users stopping any operations and interactions with compromised sources and reporting such issues to relevant support channels.

Step 1 — VM Setup

In the previous publication participants were asked to install, setup and learn to utilize Virtualization Software in order to isolate their working environment. This knowledge was necessary to quickly progress through Step 1 of the competition. Contestants had to download, and import the Virtual Machine File. The major obstacle was to download a large VM image file. KIRA Team decided to possibly extend the competition if that would be a major issue for its participants. Fortunately, that was not the case and all participants finalized tasks within the 12 hour time limit.

Solution:
There were no incorrect ways to execute this part of the challenge as long as participants managed to start the virtual machine provided to them. All further tasks had to be executed within the VM environment provided. This was done to simulate various attacks and security threats. Submissions that did not utilize the provided VM environment to execute further steps were not taken into account.

Step 2 — Setup Metamask

The MetaMask was already pre-installed within the VM along the Chrome browser. There were no modifications made to the original software and participants had to simply create new Ethereum accounts and claim free Kovan Testnet Tokens to the new address they created.

Solution:
There were no incorrect ways to execute this part. All participants successfully passed this step and no risks or obstacles were present.

Step 3 — Identify Challenge Deposit Address

Identification of the deposit address was the first security challenge. The intended simulation was of the DNS hijacking scenario, where the attacker redirects requests incoming from the client to a maliciously deployed website posing as the legitimate source. The actual https://kira.network service was never altered, and the Local DNS hijacking was utilized, meaning that the VM was altered to redirect all requests coming from an insecure connection to the malicious page deployed locally within the VM. Only secure connections were allowed to pass to the legitimate address containing a real webpage and the Challenge Deposit Address. Contestants were further informed that the Challenge Deposit Address contains 1 KEX tokens deposited within it to further indicate legitimacy of the address.

Solution:
Contestants were provided with the non secure address “challenge.kira.network” which lacked the proper HTTPS prefix. In order to pass this step users had to notice that the website they just accessed was not secure and correct it.

The fake website contained a correctly signed message, however the account which created the signature did not possess a verified and legitimate kira.network DNS address which implied that it could have been created by an attacker.

The fake address further possessed a 1 KEX token deposited from the illegitimate KEX contract address, which was different than the provided real testnet KEX token contract. Verification of the contract address further proves the malicious intent.

All those who added the “https” prefix to the request after noticing the “Not secure” connection were automatically redirected to the https://success.kira.network website which contained the legitimate address 0x41dC457f1746118185A4dE924497CD3e97893f62 and signature, generated by the legitimate keybase account possessing a verified kira.network DNS.

The real challenge deposit address further possessed a 1 KEX token originating from the real testnet KEX token contract. Verification of the contract address further proves legitimacy of the account.

Step 4 — Deposit Testnet Tokens

Until now all participants encountered challenges that were already explored in the previous security contest. This time a new obstacle was introduced from within the VM sumulating malicious software that was tampering with data integrity. It is worth mentioning that such a scenario should be anticipated by everyone at all times and should not be treated as a feature of this challenge! This vulnerability was designed so that while the verification of the signature was possible, the copy /pasting of the legitimate deposit address would result in an address swap. To make detection of the fake address even more difficult, a Vanity Address was used, meaning that both fake and real addresses were closely resembling one another.

Solution:
To pass this challenge successfully, participants had to VERIFY if the address they copied and pasted to MetaMask was the same as the real deposit address that they previously discovered and corrected.

Results

The rules of the competition stated that only one person can be the finalist along with four runner ups. The key criteria for winning was to prove your diligence, describe and capture your thinking process, supported by documentation of all executed steps.

All knowledge required to complete this challenge can be found within the following publications:

We decided to reward all individuals, who were not in the first place yet still submitted or resubmitted correct and sufficiently detailed responses, demonstrating full understanding of the verification and security constraints, with 50 USDT and an allocation spot, which allows to acquire up to 3 ETH worth of KEX tokens.

The Grand Winner of this competition #1 receives a 200 USDT prize and an allocation spot, which allows to acquire up to 10 ETH worth of KEX tokens. Email addresses (lower-case) of the winners are Blake3 hashed as follow:

  • #1: 0f56…8842
  • #2: 4975…f9ef
  • #3: 23b4…09b5
  • #4: a5b8…30e4
  • #5: cbff…84b2
  • #6: c229…d7f9
  • #7: 427b…e02a

To verify if you are one of the winners:

Step 1: Visit: https://connor4312.github.io/blake3/index.html

Step 2: Input the email address (lowercase) that you provided in your submission form

Step 3: Output will be a Blake3 hash of your email

Step 4: Search first 4 and last 4 characters of your Hash in the list of winners

Summary

All necessary tools, scripts and configurations required to execute this challenge were designed in-house by the KIRA Team specifically for the purpose of this competition. No third party scripts or malware was ever used in preparation of the virtual environment. We are not going to disclose exactly how the vulnerabilities were implemented not to encourage or provide tools for others to potentially harm or otherwise deceive anyone IRL. The VM files did not collect or send any personal information about participants and can’t harm anyone following the competition steps. Despite that we recommend to discard the provided VM files and never use them for any other purpose in the future.

We hope that through this challenge many more people became aware of potential threats and can secure themselves better in the upcoming public round. It is amazing to see many participants noticing their faults, learning from their mistakes and resubmitting forms correctly. We want to congratulate all winners and those who participated, trying their best to exercise due diligence. We hope that many of you will join us soon in the upcoming public testnet and thus further contribute to building KIRA Network together.

--

--