Cracking the Code: Solving the Mini 24-Hour Hackathon

This is a quick look over how to solve the mini 24-hour hackathon we released last week. For some of you, this was even the first bit of code you ever wrote, so for those who fell short, here is a quick guide on what you needed to do to solve the problem.

The Problem

The hackathon asked you to withdraw exactly “1 mHOPR” from a node which had exposed its credentials: “API URL” & “API KEY”.

The API KEY that was “exposed” was actually a key created using the new capability-based API feature to generate a token which would allow you only to access the “accountWithdraw” endpoint of the node at the API level.

Conceptual Solution

To communicate with a HOPR node or to another device in general, you need two things:

• An endpoint to send your instructions/requests to
• A way to structure your instructions, so the device understands it (the relevant API)

So to solve this problem, you need to find these two pieces of information on the HOPR docs.

What You Needed To Find

You were provided with the information that you needed to use the “accountWithdraw” API, so the first step was to locate this on the HOPR documentation at: https://docs.hoprnet.org/developers/rest-api

The first two things that you needed to find here were:

1. The endpoint suffix is “/api/v2/account/withdraw”
2. The API Key is added as a header parameter

This, paired with the leaked credentials, you now have roughly the following information.

• Send the request to “http://142.93.5.175:3001/api/v2/account/withdraw"
• In the header of the request, add x-auth-token=PZjS7imRpmoPNziYF7–2kCGvG-UfaG1XsdiKEMApGV4
• It is a “POST” request

In general, what information you are looking for is much more intuitive if you have ever worked with this kind of logic before, which is why we give out tips to less experienced participants on our Telegram for these events.

Next, you need to find what to include in your request. Here you can see there are three parameters, all of which are required.

• Currency: can be “HOPR” or “NATIVE” with that exact spelling. We are trying to withdraw Hopr tokens, so we would need to set this to: “HOPR”.
• Amount: a number counted in the smallest unit of that currency. HOPR tokens have 18 decimal places, so 1 HOPR/mHOPR token would be requested as “1000000000000000000”.
• Recipient: this is just the wallet address you want to withdraw your funds to.

There is even an example of how to format your parameters within the payload of the request. A request consists of a payload and a header, so using the formatting and all the information you have found. You should conclude your request will look something like this:

API_URL = “http://142.93.5.175:3001/api/v2/account/withdraw"

headers = {
‘x-auth-token’: “PZjS7imRpmoPNziYF7–2kCGvG-UfaG1XsdiKEMApGV4”
}

payload = {

“amount”: “1000000000000000000”,
“currency”: “HOPR”,
“recipient”: “YOUR_WALLET_ADDRESS”

}

This is all the information you had to find to make this request to the exposed node. Now you just need to choose a method to make the “POST” request.

How To Make This Request

Here are a few quick examples of how to make this request, but you could use any coding language or API platform.

Note:

• I’ve added the header key/value: ‘Content-Type’: ‘application/json’ just for good practice.
• There is no wallet address added & the security token from the hackathon is now expired so you would need to substitute in working credentials to use these methods now.

Using Curl

You could send the request through your terminal using curl, similar to the following.

curl -X POST http://142.93.5.175:3001/api/v2/account/withdraw \
  -H "Content-Type: application/json" \
  -H "x-auth-token: PZjS7imRpmoPNziYF7-2kCGvG-UfaG1XsdiKEMApGV4" \
  -d '{"amount": "1000000000000000000", "currency": "HOPR", "recipient": "YOUR_WALLET_ADDRESS"}'

Using Postman

You could send the request using an API platform like Postman on your browser/desktop. With postman, you would need to create a new “POST” request to the correct endpoint and add the values to the header and body of the request as below.

Using Python

With python, you could similarly format a request by using the json/requests libraries.

import requests
import json

api_key = 'FBg4ns - 2RHeNsB754tx5uM8v9lVXLSnN7IiSEVl09I'
api_url = "http://142.93.5.175:3001/api/v2/account/withdraw"

payload = json.dumps({
"amount": "1000000000000000000",
"currency": "HOPR",
"recipient": "0x5E14F9ba0F2aa3D3A11cF2823d0E45F0636a8baf"
})

headers = {
'x-auth-token': api_key,
'Content-Type': 'application/json'
}

response = requests.request("POST", api_url, headers=headers, data=payload)

Using JavaScript (Node.js)

To make the request using JavaScript and Node.js, you’ll need to install the node-fetch package:

npm install node-fetch

Then, create a new JavaScript file (e.g., withdraw.js) and add the following code:

const fetch = require(‘node-fetch’);
const API_URL = 'http://142.93.5.175:3001/api/v2/account/withdraw';
const headers = {
'Content-Type': 'application/json',
'x-auth-token': 'PZjS7imRpmoPNziYF7–2kCGvG-UfaG1XsdiKEMApGV4',
};

const payload = {
amount: '1000000000000000000',
currency: 'HOPR',
recipient: 'YOUR_WALLET_ADDRESS',
};

fetch(API_URL, {
method: 'POST',
headers: headers,
body: JSON.stringify(payload),
})

.then((response) => response.json())
.then((data) => console.log(data))
.catch((error) => console.error('Error:', error));

Save the file and run the script using Node.js:

node withdraw.js

This will execute the request and print the response to the console.

Transferrable knowledge

Regardless of your method, the key takeaway is how to interact with a HOPR node conceptually. If you understand the basics of this request/response logic, you can build any application with HOPR using any language.

From simple scripts to browsers, games, or complex services, the privacy features HOPR offers exist at the messaging layer, so they are additive to any application you develop. If you are new to the ecosystem, start simply by running a HOPR node or explore the first commercial service developed on HOPR: RPCh.

Request/Response logic

This request/response logic is fundamental in computing and is nothing new, but it is also the basis of some of the largest privacy concerns on the internet.

Just take a look at this hackathon problem. Making the request to the exposed node required passing on a handful of details: The token, amount and receiving address.

Now imagine a similar scenario for everything you do online, expanding an image, clicking a button, browsing a product. Every single one of these minute actions requires communication between devices (requests/responses).

The problem arises when all these little details and actions are timestamped and tagged with your identity (IP address), and someone can sit there and see pretty much everything you do online and exactly how you spend your time. It is precisely this bad every time you use your crypto wallet, as you’re exposing every request you make and your IP address to your RPC provider. This is the same type of centralized data processing that made Web 2.0 so plagued with data harvesting in the first place.

And it is also the exact problem RPCh solves.

Sebastian Bürgel,
HOPR Founder

Website: https://rpch.net
Run RPCh Alpha for free: https://access.rpch.net/
Twitter: https://twitter.com/RPC_h_
Discord: https://discord.gg/VRyTQTNBTy

Powered by HOPR: https://hoprnet.org/