Announcing the first Cardano CTF!
We are thrilled to announce that over the last few months, we have been working hard on the Cardano Capture The Flag (CTF) game — A game where Cardano developers and enthusiasts can try to exploit purposely vulnerable smart contracts and learn about the most common security issues and how to prevent them.
We are now ready to share the first 7 tasks and to hear your thoughts! The CTF was funded through Project Catalyst and we want to express our deepest thanks to everyone who voted for us. With that said, let’s get to it!
The main goal of the CTF is to educate its players about Cardano smart contract development, interacting with smart contracts and, most importantly, about the security of Cardano smart contracts.
In every level, players are faced with a vulnerable smart contract and a sample “happy case” interaction with it. The players are then expected to look at the given code from the point of view of a hacker and try to find a vulnerability and exploit it. We believe this mindset plays a crucial role in smart contract development and is much needed.
Players have the opportunity to gain hands-on experience with the following concepts and technologies:
- Cardano smart contract vulnerabilities — Each challenge demonstrates a vulnerable smart contract to the players. The players need to exploit each vulnerability directly on the Cardano testnet to succeed in a task. To speed up their efforts, they can test their attack locally prior to trying it on the testnet as well. The smart contract vulnerabilities are presented in an increasing complexity.
- Aiken — The smart contract language that we chose to use for the smart contracts as we find the development environment easy to set up and the language having a smooth learning curve. The players will need to learn to read, and for later tasks even to write Aiken. Please note, that most of the Cardano smart contract vulnerabilities are indifferent to the language used and most if not all of the vulnerabilities presented could be well replicated within Plutus, Plutarch, etc.
- Lucid (Typescript) — The smart contracts also need to be interacted with. That is usually behind the scenes in the off-chain code of an application. We decided to use Lucid for this, as Typescript is a commonly used and known language and we believe it would be easy to learn to a sufficient level even for players that do not have a prior knowledge of it. The players are expected to read, write or modify Lucid code in each challenge.
The CTF is one of the first resources for Cardano developers or auditors where they can learn about Cardano smart contract vulnerabilities. We believe that such information should be public to everyone and we have plans to continue our efforts in the form of more Project Catalyst proposals, educational blog posts, and new CTF tasks.
Let’s play!
Everything you need is contained within the official open-source cardano-ctf repository. You just need to clone the repository and follow the instructions in the README file.
We also encourage you to join our Discord server where you can chat with us and other players about your solutions and any potential problems you encounter.
Stay tuned
That is not all! While we are in the last stages of the CTF development, we have more exciting stuff coming!
- Next month we will release 3 more CTF tasks. These tasks will be even more difficult and will showcase some of the more interesting vulnerabilities.
- After that, we will be publishing Medium blog posts about the solutions to the tasks, explaining each of the vulnerabilities and discussing potential prevention mechanisms.
- We have a new Catalyst proposal. Our proposal helps by removing some of the obstacles in bringing more coins to Cardano, especially concerning stablecoins and fractionalized assets.
