/ctf-blockchain

A summary of 200+ CTF blockchain challenges

Primary LanguageSolidity

CTF Blockchain Challenges

This repository collects blockchain challenges in CTFs and wargames.

These challenges are categorized by topic, not by difficulty or recommendation. Also, there are my writeups and exploits for some challenges (e.g., Paradigm CTF 2022). Please be aware that these contain spoilers.

If there are any incorrect descriptions, I would appreciate it if you could let me know via issue or PR!


Table of Contents


Ethereum

Note:

  • If an attack is only valid for a particular version of Solidity and not for the latest version, the version is noted at the end of the heading.
  • To avoid notation fluctuations, EVM terms are avoided as much as possible and Solidity terms are used.

Contract basics

Challenge Note, Keywords
Capture The Ether: Deploy a contract faucet, wallet
Capture The Ether: Call me contract call
Capture The Ether: Choose a nickname contract call
Capture The Ether: Guess the number contract call
Capture The Ether: Guess the secret number keccak256
Ethernaut: 0. Hello Ethernaut contract call, ABI
Ethernaut: 1. Fallback receive Ether function
Paradigm CTF 2021: Hello contract call
0x41414141 CTF: sanity-check contract call
Paradigm CTF 2022: RANDOM contract call
DownUnderCTF 2022: Solve Me

EVM puzzles

  • Puzzle challenges that can be solved by understanding the EVM specifications.
  • No vulnerabilities are used to solve these challenges.
Challenge Note, Keywords
Capture The Ether: Guess the new number block.number, block.timestamp
Capture The Ether: Predict the block hash blockhash
Ethernaut: 13. Gatekeeper One msg.sender != tx.origin, gasleft().mod(8191) == 0, type conversion
Ethernaut: 14. Gatekeeper Two msg.sender != tx.origin, extcodesize is 0
Cipher Shastra: Minion msg.sender != tx.origin, extcodesize is 0, block.timestamp
SECCON Beginners CTF 2020: C4B block.number
Paradigm CTF 2021: Babysandbox staticcall, call, delegatecall, extcodesize is 0
Paradigm CTF 2021: Lockbox ecrecover, abi.encodePacked, msg.data.length
EthernautDAO: 6. (No Name) block.number, gas price war
fvictorio's EVM Puzzles
Huff Challenge: Challenge #3
Paradigm CTF 2022: LOCKBOX2
Paradigm CTF 2022: SOURCECODE quine
Numen Cyber CTF 2023: LittleMoney function pointer
Numen Cyber CTF 2023: ASSLOT staticcall that return different values
Paradigm CTF 2023: Black Sheep Huff

Misuse of tx.origin

  • tx.origin refers to the address of the transaction publisher and should not be used as the address of the contract caller msg.sender.
Challenge Note, Keywords
Ethernaut: 4. Telephone

Weak sources of randomness from chain attributes

  • Since contract bytecodes are publicly available, it is easy to predict pseudorandom numbers whose generation is completed on-chain (using only states, not off-chain data).
  • It is equivalent to having all the parameters of a pseudorandom number generator exposed.
  • If you want to use random numbers that are unpredictable to anyone, use a decentralized oracle with a random number function.
    • For example, Chainlink VRF, which implements Verifiable Random Function (VRF).
Challenge Note, Keywords
Capture The Ether: Predict the future
Ethernaut: 3. Coin Flip
DownUnderCTF 2022: Crypto Casino
Paradigm CTF 2023: SkillBasedGame

ERC-20 basics

Challenge Note, Keywords
Ethernaut: 15. Naught Coin transfer, approve, transferFrom
Paradigm CTF 2021: Secure WETH
DeFi-Security-Summit-Stanford: VToken

Storage overwrite by delegatecall

  • delegatecall is a potential source of vulnerability because the storage of the delegatecall caller contract can be overwritten by the called contract.
Challenge Note, Keywords
Ethernaut: 6. Delegation
Ethernaut: 16. Preservation
Ethernaut: 24. Puzzle Wallet proxy contract
Ethernaut: 25. Motorbike proxy contract, EIP-1967: Standard Proxy Storage Slots
DeFi-Security-Summit-Stanford: InSecureumLenderPool flash loan
QuillCTF2023: D3l3g4t3
Numen Cyber CTF 2023: Counter writing EVM code

Context mismatch in delegatecall

  • Contracts called by delegatecall are executed in the context of the delegatecall caller contract.
  • If the function does not carefully consider the context, a bug will be created.
Challenge Note, Keywords
EthernautDAO: 3. CarMarket Non-use of address(this)

Integer overflow

  • For example, subtracting 1 from the value of a variable of uint type when the value is 0 causes an arithmetic overflow.
  • Arithmetic overflow has been detected and reverted state since Solidity v0.8.0.
  • Contracts written in earlier versions can be checked by using the SafeMath library.
Challenge Note, Keywords
Capture The Ether: Token sale multiplication
Capture The Ether: Token whale subtraction
Ethernaut: 5. Token subtraction

Non-executable Ether transfers to contracts

  • Do not create a contract on the assumption that normal Ether transfer (.send() or .transfer()) can always be executed.
  • If a destination is a contract and there is no receive Ether function or payable fallback function, Ether cannot be transferred.
  • However, instead of the normal transfer functions, the selfdestruct described below can be used to force such a contract to transfer Ether.
Challenge Note, Keywords
Ethernaut: 9. King
Project SEKAI CTF 2022: Random Song Chainlink VRF

Forced Ether transfers to contracts via selfdestruct

  • If a contract does not have a receive Ether function and a payable fallback function, it is not guaranteed that Ether will not be received.
  • When a contract executes selfdestruct, it can transfer its Ether to another contract or EOA, and this selfdestruct transfer can be forced even if the destination contract does not have the receive Ether function and the payable fallback function.
  • If the application is built on the assumption that the Ether is 0, it could be a bug.
Challenge Note, Keywords
Capture The Ether: Retirement fund integer overflow
Ethernaut: 7. Force

Large gas consumption by contract callees

  • A large amount of gas can be consumed by loops and recursion in call, and there may not be enough gas for the rest of the process.
  • Until Solidity v0.8.0, zero division and assert(false) could consume a lot of gas.
Challenge Note, Keywords
Ethernaut: 20. Denial

Forgetting to set view/pure to interface and abstract contract functions

  • If you forget to set view or pure for a function and design your application under the assumption that the state will not change, it will be a bug.
Challenge Note, Keywords
Ethernaut: 11. Elevator

view functions that do not always return same values

  • Since view functions can read state, they can be conditionally branched based on state and do not necessarily return the same value.
Challenge Note, Keywords
Ethernaut: 21. Shop

Mistakes in setting storage and memory

  • If storage and memory are not set properly, old values may be referenced, or overwriting may not occur, resulting in vulnerability.
Challenge Note, Keywords
N1CTF 2021: BabyDefi Cover Protocol infinite minting + flash loan

Tracing transactions

  • Various information can be obtained just by following the flow of transaction processing.
  • Blockchain explorers such as Etherscan are useful.
Challenge Note, Keywords
Ethernaut: 17. Recovery loss of deployed contract address

Reversing states

  • Since the state and the bytecodes of contracts are public, all variables, including private variables, are readable.
  • Private variables are only guaranteed not to be directly readable by other contracts, but we, as an entity outside the blockchain, can read them.
Challenge Note, Keywords
Capture The Ether: Guess the random number
Ethernaut: 8. Vault
Ethernaut: 12. Privacy
Cipher Shastra: Sherlock
0x41414141 CTF: secure enclave log, storage
EthernautDAO: 1. PrivateData

Reversing transactions

  • Reversing the contents of a transaction or how the state has been changed by the transaction.
Challenge Note, Keywords
darkCTF: Secret Of The Contract
DownUnderCTF 2022: Secret and Ephemeral

Reversing EVM bytecodes

Challenge Note, Keywords
Incognito 2.0: Ez keep in plain text
0x41414141 CTF: crackme.sol decompile
0x41414141 CTF: Crypto Casino bypass condition check
Paradigm CTF 2021: Babyrev
34C3 CTF: Chaingang
Blaze CTF 2018: Smart? Contract
DEF CON CTF Qualifier 2018: SAG?
pbctf 2020: pbcoin
Paradigm CTF 2022: STEALING-SATS
Paradigm CTF 2022: ELECTRIC-SHEEP
Paradigm CTF 2022: FUN-REVERSING-CHALLENGE
DownUnderCTF 2022: EVM Vault Mechanism
EKOPARTY CTF 2022: Byte stack tracing
EKOPARTY CTF 2022: SmartRev memory tracing
Numen Cyber CTF 2023: HEXP previous block hash == gas price % 2^24

EVM bytecode golf

  • These challenges have a limit on the length of the bytecode to be created.
Challenge Note, Keywords
Ethernaut: 18. MagicNumber
Paradigm CTF 2021: Rever Palindrome detection. In addition, the code that inverts the bytecode must also be able to detect palindromes.
Huff Challenge: Challenge #1

Jump-oriented programming

  • Jump-Oriented Programming (JOP)
Challenge Note, Keywords
SECCON CTF 2023 Quals: Tokyo Payload
Paradigm CTF 2021: JOP
Real World CTF 3rd: Re:Montagy

Gas optimization

  • These challenges have a limit on the gas to be consumed.
Challenge Note, Keywords
Huff Challenge: Challenge #2

Collisions when using abi.encodePacked with variable length arguments

Challenge Note, Keywords
SEETF 2023: Operation Feathered Fortune Fiasco

Bypassing verifications with zero iteration loops

Challenge Note, Keywords
SEETF 2023: Murky SEEPass array length, Merkle proof

Reentrancy attacks

  • In case a function of contract A contains interaction with another contract B or Ether transfer to B, the control is temporarily transferred to B.
  • Since B can call A in this control, it will be a bug if the design is based on the assumption that A is not called in the middle of the execution of that function.
  • For example, when B executes the withdraw function to withdraw Ether deposited in A, the Ether transfer triggers a control shift to B, and during the withdraw function, B executes A's withdraw function again. Even if the withdraw function is designed to prevent withdrawal of more than the limit if it is simply called twice, if the withdraw function is executed in the middle of the withdraw function, it may be designed to bypass the limit check.
  • To prevent reentrancy attacks, use the Checks-Effects-Interactions pattern.
Challenge Note, Keywords
Capture The Ether: Token bank ERC-223, tokenFallback()
Ethernaut: 10. Re-entrancy call
Paradigm CTF 2021: Yield Aggregator
HTB University CTF 2020 Quals: moneyHeist
EthernautDAO: 4. VendingMachine call
DeFi-Security-Summit-Stanford: InsecureDexLP ERC-223, tokenFallback()
MapleCTF 2022: maplebacoin
QuillCTF 2022: SafeNFT ERC721, _safeMint()
Numen Cyber CTF 2023: SimpleCall call
SEETF 2023: PigeonBank
Project SEKAI CTF 2023: Re-Remix Read-Only Reentrancy
SECCON Beginners CTF 2024: vote4b ERC721, _safeMint()

Flash loan basics

  • Flash loans are uncollateralized loans that allow the borrowing of an asset, as long as the borrowed assets are returned before the end of the transaction. The borrower can deal with the borrowed assets any way they want within the transaction.
  • By making large asset moves, attacks can be made to snatch funds from DeFi applications or to gain large amounts of votes for participation in governance.
  • A solution to attacks that use flash loans to corrupt oracle values is to use a decentralized oracle.
Challenge Note, Keywords
Damn Vulnerable DeFi: 1. Unstoppable Simple flash loan with a single token. Failure to send the token directly.
Damn Vulnerable DeFi: 2. Naivereceiver The flashLoan function can specify a borrower, but the receiver side does not authenticate the TX sender, so the receiver's funds can be drained as a fee
Damn Vulnerable DeFi: 3. Truster The target of a call is made into the token and the token can be taken by approving it to oneself
Damn Vulnerable DeFi: 4. Sideentrance Flash loan that allows each user to make a deposit and a withdrawal. The deposit can be executed at no cost at the time of the flash loan.

Governance attacks by executing flash loans during snapshots

  • If the algorithm distributes some kind of rights using the token balance at the time of a snapshot, and if a malicious user transaction can trigger a snapshot, a flash loan can be used to obtain massive rights.
  • A period of time to lock the token will avoid this attack.
Challenge Note, Keywords
Damn Vulnerable DeFi: 5. Therewarder Get reward tokens based on the deposited token balance.
Damn Vulnerable DeFi: 6. Selfie Get voting power in governance based on the deposited token balance.

Bypassing repayments of push architecture flash loans

  • There are two architectures of flash loans: push and pull, with push architectures represented by Uniswap and Aave v1 and pull architectures by Aave v2 and dYdX.
  • The proposed flash loan in EIP-3156: Flash Loans is a pull architecture.
Challenge Note, Keywords
Paradigm CTF 2021: Upgrade Bypass using the lending functionality implemented in the token

Bugs in AMM price calculation algorithm

  • A bug in the Automated Market Maker (AMM) price calculation algorithm allows a simple combination of trades to drain funds.
Challenge Note, Keywords
Ethernaut: 22. Dex

Attacks using custom tokens

  • The ability of a protocol to use arbitrary tokens is not in itself a bad thing, but it can be an attack vector.
  • In addition, bugs in the whitelist design, which assumes that arbitrary tokens are not available, could cause funds to drain.
Challenge Note, Keywords
Ethernaut: 23. Dex Two

Oracle manipulation attacks without flash loans

  • It corrupts the value of the oracle and drains the funds of applications that refer to that oracle.
Challenge Note, Keywords
Paradigm CTF 2021: Broker Distort Uniswap prices and liquidate positions on lending platforms that reference those prices
Damn Vulnerable DeFi: 7. Compromised Off-chain private key leak & oracle manipulation

Oracle manipulation attacks with flash loans

  • The use of flash loans distorts the value of the oracle and drains the funds of the protocols that reference that oracle.
  • The ability to move large amounts of funds through a flash loan makes it easy to distort the oracle and cause more damage.
Challenge Note, Keywords
Damn Vulnerable DeFi: 8. Puppet Distort the price of Uniswap V1 and leak tokens from a lending platform that references that price
DeFi-Security-Summit-Stanford: BorrowSystemInsecureOracle lending protocol

Sandwich attacks

  • For example, if there is a transaction by another party to sell token A and buy B, the attacker can put in a transaction to sell A and buy B before the transaction, and later put in a transaction to sell the same amount of B and buy A, thereby ultimately increasing the amount of A at a profit.
  • In general, such "revenue earned by selecting, inserting, and reordering transactions contained in a block generated by a miner" is referred to as Miner Extractable Value (MEV). Recently, it is also called Maximal Extractable Value.
Challenge Note, Keywords
Paradigm CTF 2021: Farmer Sandwich the trade from COMP to WETH to DAI

Recoveries of private keys by same-nonce attacks

  • In general, a same-nonce attack is possible when the same nonce is used for different messages in the elliptic curve DSA (ECDSA), and the secret key can be calculated.
  • In Ethereum, if nonces used to sign transactions are the same, this attack is feasible.
Challenge Note, Keywords
Capture The Ether: Account Takeover
Paradigm CTF 2021: Babycrypto
MetaTrust CTF: ECDSA

Brute-forcing addresses

  • Brute force can make a part of an address a specific value.
Challenge Note, Keywords
Capture The Ether: Fuzzy identity 28 bits, CREATE2
Numen Cyber CTF 2023: Exist 16 bits

Recoveries of public keys

  • The address is the public key applied to a keccak256 hash, and the public key cannot be recovered from the address.
  • If even one transaction has been sent, the public key can be back-calculated from it.
  • Specifically, it can be recovered from the Recursive Length Prefix (RLP)-encoded data [nonce, gas_price, gas, to, value, data, chain_id, 0, 0] and the signature (v,r,s).
Challenge Note, Keywords
Capture The Ether: Public Key RLP, ECDSA

Encryption and decryption in secp256k1

Challenge Note, Keywords
0x41414141 CTF: Rich Club DEX, flash loan

Bypassing bots and taking ERC-20 tokens owned by wallets with known private keys

  • If a wallet with a known private key has an ERC-20 token but no Ether, it is usually necessary to first send Ether to the wallet and then transfer the ERC-20 token to get the ERC-20 token.
  • However, if a bot that immediately takes the Ether sent at this time is running, the Ether will be stolen when the Ether is simply sent.
  • In this situation, we can use Flashbots bundled transactions or just permit and transferFrom if the token is EIP-2612 permit friendly.
Challenge Note, Keywords
EthernautDAO: 5. EthernautDaoToken

Claimable intermediate nodes of Merkle trees

Challenge Note, Keywords
Paradigm CTF 2022: MERKLEDROP

Precompiled contracts

Challenge Note, Keywords
Paradigm CTF 2022: VANITY

Faking errors

Challenge Note, Keywords
Ethernaut: 27. Good Samaritan

Foundry cheatcodes

Challenge Note, Keywords
Paradigm CTF 2022: TRAPDOOOR
Paradigm CTF 2022: TRAPDOOOOR

Front-running

Challenge Note, Keywords
DownUnderCTF 2022: Private Log

Back-running

  • MEV-Share can be used to create bundled transactions to back-run.
Challenge Note, Keywords
MEV-Share CTF: MevShareCTFSimple 1
MEV-Share CTF: MevShareCTFSimple 2
MEV-Share CTF: MevShareCTFSimple 3
MEV-Share CTF: MevShareCTFSimple 4
MEV-Share CTF: MevShareCTFMagicNumberV1
MEV-Share CTF: MevShareCTFMagicNumberV2
MEV-Share CTF: MevShareCTFMagicNumberV3
MEV-Share CTF: MevShareCTFNewContract (Address)
MEV-Share CTF: MevShareCTFNewContract (Salt) CREATE2

Head overflow bugs in calldata tuple ABI-reencoding (< Solidity 0.8.16)

Challenge Note, Keywords
0CTF 2022: TCTF NFT Market
Numen Cyber CTF 2023: Wallet illegal v in ecrecover

Overwriting storage slots via local storage variables (< Solidity 0.8.1)

  • In Foo storage foo;, the local variable foo points to slot 0.
Challenge Note, Keywords
Capture The Ether: Donation

Overwriting arbitrary storage slots by setting array lengths to 2^256-1 (< Solidity 0.6.0)

  • For example, any storage variable can be overwritten by negatively arithmetic overflowing the length of an array to 2^256-1.
  • It need not be due to overflow.
  • The length property has been read-only since v0.6.0.
Challenge Note, Keywords
Capture The Ether: Mapping
Ethernaut: 19. Alien Codex
Paradigm CTF 2021: Bank

Constructors that is just functions by typos (< Solidity 0.5.0)

  • In versions before v0.4.22, the constructor is defined as a function with the same name as the contract, so a typo of the constructor name could cause it to become just a function, resulting in a bug.
  • Since v0.5.0, this specification is removed and the constructor keyword must be used.
Challenge Note, Keywords
Capture The Ether: Assume ownership
Ethernaut: 2. Fallout

Overwriting storage slots via uninitialized storage pointer (< Solidity 0.5.0)

  • Since v0.5.0, uninitialized storage variables are forbidden, so this bug cannot occur.
Challenge Note, Keywords
Capture The Ether: Fifty years
Ethernaut: Locked deleted

Other ad-hoc vulnerabilities and methods

Challenge Note, Keywords
Paradigm CTF 2021: Bouncer The funds required for batch processing are the same as for single processing.
Paradigm CTF 2021: Market Make the value of one field be recognized as the value of another field by using key misalignment in the Eternal Storage pattern.
EthernautDAO: 2. WalletLibrary m and n of m-of-n multisig wallet can be changed.
Paradigm CTF 2022: RESCUE
Paradigm CTF 2022: JUST-IN-TIME
Paradigm CTF 2022: 0XMONACO
BalsnCTF 2022 initialize, _safeTransferFrom, CREATE2
Numen Cyber CTF 2023: LenderPool flash loan
Numen Cyber CTF 2023: GOATFinance check sum address
SEETF 2023: Pigeon Vault EIP-2535: Diamonds, Multi-Facet Proxy
corCTF 2023: baby-wallet missing from != to check

Bitcoin

Note

  • Including challenges of Bitcoin variants whose transaction model is Unspent Transaction Output (UTXO).

Bitcoin basics

Challenge Note, Keywords
TsukuCTF 2021: genesis genesis block
WORMCON 0x01: What's My Wallet Address Bitcoin address, RIPEMD-160

Recoveries of private keys by same-nonce attacks

Challenge Note, Keywords
darkCTF: Duplicacy Within

Bypassing PoW of other applications using Bitcoin's PoW database

  • Bitcoin uses a series of leading zeros in the SHA-256 hash value as a Proof of Work (PoW), but if other applications are designed in the same way, its PoW time can be significantly reduced by choosing one that matches the conditions from Bitcoin's past PoW results
Challenge Note, Keywords
Dragon CTF 2020: Bit Flip 2 64-bit PoW

Solana

Challenge Note, Keywords
ALLES! CTF 2021: Secret Store solana,spl-token
ALLES! CTF 2021: Legit Bank
ALLES! CTF 2021: Bugchain
ALLES! CTF 2021: eBPF reversing eBPF
Paradigm CTF 2022: OTTERWORLD
Paradigm CTF 2022: OTTERSWAP
Paradigm CTF 2022: POOL
Paradigm CTF 2022: SOLHANA-1
Paradigm CTF 2022: SOLHANA-2
Paradigm CTF 2022: SOLHANA-3
corCTF 2023: tribunal
Project SEKAI CTF 2023: The Bidding
Project SEKAI CTF 2023: Play for Free

Cosmos

CosmWasm

Challenge Note, Keywords
Oak Security CosmWasm CTF: 1. Mjolnir logic bug
Oak Security CosmWasm CTF: 2. Gungnir integer overflow
Oak Security CosmWasm CTF: 3. Laevateinn address validation, uppercase
Oak Security CosmWasm CTF: 4. Gram invariant, rounding error
Oak Security CosmWasm CTF: 5. Draupnir missing return
Oak Security CosmWasm CTF: 6. Hofund flash loan, governance
Oak Security CosmWasm CTF: 7. Tyrfing storage collision
Oak Security CosmWasm CTF: 8. Gjallarhorn
Oak Security CosmWasm CTF: 9. Brisingamen
Oak Security CosmWasm CTF: 10. Mistilteinn

Application-specific blockchain

Challenge Note, Keywords
RealWorld CTF 3rd Finals: Billboard

Move

Challenge Note, Keywords
Numen Cyber CTF 2023: Move to Checkin contract call in Sui
Numen Cyber CTF 2023: ChatGPT tell me where is the vulnerability OSINT
Numen Cyber CTF 2023: Move to Crackme reversing Move code and Linux executable
justCTF 2024 teaser: The Otter Scrolls
justCTF 2024 teaser: Dark BrOTTERhood
justCTF 2024 teaser: World of Ottercraft

Cairo

Challenge Note, Keywords
Paradigm CTF 2022: RIDDLE-OF-THE-SPHINX contract call
Paradigm CTF 2022: CAIRO-PROXY integer overflow
Paradigm CTF 2022: CAIRO-AUCTION Uint256
BalsnCTF 2022: Cairo Reverse reversing

Other Blockchain-Related

  • Things that are not directly related to blockchains but are part of the ecosystems.
Challenge Note, Keywords
TsukuCTF 2021: InterPlanetary Protocol IPFS address, Base32 in lowercase