Underhanded Solidity Contest 2022

The Underhanded Solidity Contest 2022 is over!

Read about the winning submissions in the winner announcement or check out all submissions in this repo.

The goal of the Underhanded Solidity Contest is to write seemingly innocent and straightforward-looking Solidity code which actually contains malicious behavior or backdoors.

Cubes Illusion

Theme

In this year, we would like you to build a simple decentralized exchange where people can trade their hard-earned NFTs, DAO governance tokens, or dog coins of their choice.

The rules of decentralized exchanges (at least the simple ones) are very easy and nothing can go wrong there... right?

Build a decentralized exchange either with an automated market maker or a match-making mechanism where trades do not really work as expected. You can also add a flaw to a token implementation you provide instead of to the exchange itself.

Please remember to stick to "simplicity is key"! The shorter the submission is, the better. Leave out ERC20 functions that are not needed for your submission, for example.

Bonus points if you provide a short story and explain the setting around your exchange in the readme file. Please also provide a crisp explanation about the flaw built into your submission, but put it into a different file named rugpull.txt or spoiler.txt, so judges are able to first read the submission without bias.

Triangle Illusion

Judges

Judges are presented with anonymised submissions. This year, the submissions will be assessed by:

Zeta Illusion

Prizes

The first place will receive a ticket to Devcon VII Bogota.

The top 3 submissions will receive a ticket to the Devconnect Coworking Space and the opportunity to present their contest submission at the Solidity Summit 2022 in Amsterdam.

The top 3 submissions of the Underhanded Solidity Contest will also be awarded points for the upcoming Paradigm CTF 2022.

Furthermore, the three winners will be added to the Board of Fame. The winners and all qualified submissions will receive a custom Underhanded Solidity Contest NFT.

Coding Brief & Guidelines

All you need to know about contest participation and submission!

Brief

Build a decentralized exchange that looks fair, but can be "manipulated". This can be either by it leaking money, a specific account being able to withdraw all money or something else you can think of. The flaw can also be in a specific token implementation you provide instead of the exchange. The only hard requirement is that the flaw is hidden.

Plausibility & Originality

Remember to consider plausibility. Code that drops down to inline assembly without any clear reason why will look immediately suspicious, no matter how cleverly written the assembly-level flaw is.

In addition to that it's needless to say that truly original ideas will receive more points than making use of already well known exploit/backdoor mechanisms.

Simplicity is key!

Submissions that are short and clean will be scored higher than those that are lengthy and complicated. It's easy to hide a vulnerability in complex and poorly written code; far harder to hide it in clean and simple code.

Timeline

Make sure to send submissions before the end of the deadline!

Submissions open: 2022-02-09.
Submissions close: 2022-03-16.

Winners will be announced in time before Devconnect Amsterdam in April.

Open-Source License

The entirety of your submission must be licensed under an open-source license. You must not submit anything that cannot be published.

Solidity Version

Please use Solidity v0.8.0 or higher.

Submission & Participation

Please email your submissions before the deadline [2022-03-16, 11:59PM UTC] to sol_underhanded@ethereum.org. Entries should consist of a ZIP file containing a README describing your submission and how it works [spoilers into a different file!], and one or more Solidity files.

Each person can only enter one submission. If you want to make a team submission, nominate a single person to submit on your team’s behalf. Since entries will be forwarded to the judges and assessed anonymously, please do not include identifying information in the ZIP file.

Who can participate?

Anybody over the age of 18 can participate. Judges and organizers of this contest are excluded from participation. If your jurisdiction requires you to pay taxes on prizes or imposes other restrictions, please make sure to adhere to those. If taking part in such contests is prohibited in your area please adhere to your local laws.

About

Inspired by the Underhanded C Contest and the first Underhanded Solidity Contest, organized in 2017 by Nick Johnson, in 2020 the Solidity team decided that it is time for a revival. Nowadays, the Underhanded Solidity Contest takes place regularly on an annual to bi-annual basis.

The Underhanded Solidity Contest aims to:

  • Raise awareness about smart contract security.
  • Uncover language design faults.
  • Battle-test recently introduced language features and restrictions.
  • Highlight anti-patterns in smart contact development.
  • Establish new best practices for secure smart contract development.
A big thank you to ChainSecurity, ConsenSys Diligence, Immunefi, Solidified, Trail of Bits, Paradigm, the Ethereum Foundation and all the judges for their support in organizing this contest!

Board of Fame

The Underhanded Solidity Board of Fame lists the winners of all Underhanded Solidity Contests throughout the years.

The first contest was helt in 2017 and evolved around the topic of "ICOs". Read more in the 2017 Winner Announcement.

The topic of the second Underhanded Contest in 2020 was "Upgrade Mechanisms". Read more in the 2020 Winner Announcement.

In 2022, the theme was "Decentralized Exchanges". Read more in the 2022 Winner Announcement.

Year Topic Name Rank
2017 ICOs Martin Swende 🥇
2017 ICOs Richard Moore 🥈
2017 ICOs João Carvalho 🥉
2020 Upgrade Mechanisms Robert M C Forster 🥇
2020 Upgrade Mechanisms Jaime Iglesias 🥈
2020 Upgrade Mechanisms Cory Dickson 🥉
2020 Upgrade Mechanisms Richard Moore 🏅
2020 Upgrade Mechanisms Marius van der Wijden 🏅
2022 Decentralized Exchanges Tynan Richards 🥇
2022 Decentralized Exchanges Santiago Palladino 🥈
2022 Decentralized Exchanges Michael Zhu 🥉

Contact

You have questions, want to get involved by sponsoring a prize, helping with judging or proposing a theme for the next Underhanded Solidity Contest? Then feel free to get in touch!