How To Hack An ICO Smart Contract

Wassim Bendella
iExec
Published in
3 min readSep 29, 2017

iExec recently had the pleasure to sponsor the first edition of the Underhanded Solidity Coding Contest. USCC is a contest to write harmless looking Solidity code that conceals a hidden purpose.

First Edition’s Theme: ICOs

For this first edition, the chosen theme was ICOs. Participants put on the role of ill-intentioned lead developers of a groundbreaking new product, Merdetoken (MDT). To realize their dream of raising millions and retiring early to a tropical paradise with contributors’ funds, these lead developers had to come up with a token sale contract that passes even the most careful audit.

A good USCC entry looks like a clearly and straightforwardly-written smart contract, but contains well-disguised vulnerabilities that ensure its actual execution differs significantly from what the reader would expect.

Examples of contracts with critical vulnerability might include:

  • A crowdsale contract that allows certain participants to get more tokens than they ought to.
  • A disbursement contract that lets the project creators withdraw all the funds at once.
  • A token contract that allows stealthy creation of additional tokens.

Results of the UGCC

iExec’s goal by sponsoring such an event is to highlight anti-patterns in smart contract development, so people are more aware of and can avoid the pitfalls when writing and reviewing code. We are part of the Ethereum Enterprise Alliance, and constantly push forward to see more progress, innovation and security within the Ethereum network.

iExec had the pleasure to offer the second winner a round trip flight to Lyon, along with a lunch with the team members. Results of the contest are now available.

Third Place: João Carvalho

João’s entry implements a dutch auction crowdsale as a price discovery mechanism for selling tokens. Give the contract a look over if you’d like to figure out the flaws yourself.

Second Place: Richard Moore

Richard’s entry implements a standard token contract with a small variation: the owner may only withdraw the raised funds gradually : 1 ether in the first week, 2 in the second, 4 in the third, and so forth. Stop here and give the contract a read yourself if you want to figure out where the deviousness lies.

First Place: Martin Swende

Martin’s entry implements a ‘round table’ for governance, and raises funds by allowing people to bid on seats around the table. A ‘small honorarium’ is paid out to the creator of the contract for each bid. I highly recommend reading his code and trying to figure out for yourself where the flaw is.

Wrapping Up

A huge thanks to everyone who submitted, and especially to our hardworking judges, who had to read and rate over 20 deliberately difficult to audit contracts. Look out for a new USCC, with a new theme, next year!

If you want to keep up with our latest progress, you can:
Follow iExec on Facebook
Follow iExec on Twitter

--

--

Wassim Bendella
iExec
Writer for

Wassim Bendella is a business developer at iExec, a blockchain startup decentralizing the cloud market (previously at Shell and Cointelegraph).