Week 1: Challenge design
If you are reading this, congratulations! You have made it to the top 16 of RACE-26 and are officially participating in the Secureum Vyper CTF!
The: Secureum Vyper CTF is a collaborative competition where you will design and submit an original CTF challenge written in Vyper and deployed on the Holesky testnet.
In this first week, you will be designing and submitting a CTF challenge completely written in Vyper and deployed on the Holesky testnet (use the following RPC endpoint: https://ethereum-holesky.publicnode.com/).
To do so, you can use any framework or tool you want, such as:
- Foundry, through pcaversaccio's
VyperDeployer.sol - Brownie
- ApeWorkX, through the
ape-vyperplugin - Hardhat, through the
hardhat-vyperplugin - Remix IDE, through the
vyper-plugin(see the plugins list)
If it's your first time working with Vyper, or generally any kind of python-based project, you might want to install the vyper compiler and its dependencies in a virtual environment. To do so, you can follow the instructions in the Vyper documentation.
To submit your challenge, you will need to create a private repository in your GitHub account and invite luksgrin as collaborator. The repository should contain:
- A
README.mdfile with a description of the challenge (title, story...), the solution, and the contract's address on the Holesky testnet (there's no need to verify the source code, but feel free to do so if you want to) - The source code of your challenge in a
src/directory
It is recommended that you use a framework that allows you to write tests for your challenge, but it is not mandatory. If you do write tests, you can include them in a test/ directory.
For the sake of consistency, all challenges must implement the IVyperSecureumCTF interface, which is defined as follows:
@external
def isSolved() -> bool:
"""
Returns whether the challenge has been solved or not.
"""
passThe challenge will be considered valid if it is solvable by (at least) the solution you provide. If deemed solvable, the challenge will be added to the roster of challenges for the second week of the competition.
To give you an idea of a valid submission, head over to the example directory.
In this second week, you will be submitting solutions and write-ups of your peers' Vyper CTF challenges, and will accumulate points by doing so.
The scoring system is as follows:
- 1 point for submitting a valid solution, i.e. a smart contract that solves the challenge and makes
isSolved()returnTrue - 3 points for submitting a valid solution that differs from the one provided by the challenge's author (which would imply that the challenge had multiple solutions)
- The top 3 leaderboard at the end of the competition will receive a commemorative POAP
- The best write-up of the competition will receive a commemorative POAP (the more challenges you solve, the more chances you have to win!)
- The prize pot of the competition will be 200 Holesky ETH shared proportionally among participants depending on the number of points obtained
After the competition, the challenges, writeups and solutions will be made public for everyone to enjoy and learn from. All participants will be given credit for their challenges and writeups.
Challenge description
There's a new Work-To-Earn in town.
Get your PomodoroNFT so you're eligible for rewards on the Pomodoro DApp.
You might have heard of the "Pomodoro Technique" if you're all about being productive in your work, nonetheless here's a quick explanation:
Usually people work for 5 hours straight, lose efficiency as time goes on due to lack of focus, and get 1 hour of rest afterwards. The Pomodoro technique consists of highly efficient working shifts of 25 minutes followed by 5 minutes of rest as people find it difficult to focus for more than 25 minutes. The Pomodoro DApp incentivizes the use of the Pomodoro technique by awarding users with some ETH provided they own a PomodoroNFT. For every 25 minute of work, the user receives 0.01 ETH.
The NFT costs 0.1 ether, and the reward is 0.01 ether.
For flexibility purposes, the length of the pause is not fixed, although it is recommended that users spend exactly 5 minutes. The user can pause whenever they want for emergency purposes.
Could you drain the Pomodoro contract's funds?
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/0xjarix-pomodoro/PomodoroCTFTest.t.solNote: This challenge requires vyper compiler version 0.3.9. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
There is a DEX contract written using the Vyper programming language. The contract dex.vy creates a dex for swapping two tokens. The contract Tokens creates the ERC20 token. For this CTF, when you deploy and get the contract instance:
- You get 100 T1 and 100 T2.
- The Dex contract gets 1000 T1 and 1000 T2.
Could you steal all T1 and T2 tokens from the Dex contract?
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/sakarkc2122-dex/SakarDEXCTFTest.t.solNote: This challenge requires vyper compiler version 0.3.10. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
-----------------------------------------=----==----------------------------------------------
---------------------------------==+=+*##%%%%%**%%%#*=----------------------------------------
---------------------------------=%@@@@@@@@@@@@@@@@@@@@@%++==---------------------------------
--------------------------------=*%@@@@@@@@@@@@@@@@@@@@@@@@@%#*#==----=-----------------------
------------------------------=-+@@@@@@%%@@@@@@@@@@%%%%@@@@@@@@@@@@@#+------------------------
-------------------------------=*@@%%%%%@@%@@@@@%%%@@%@%%@@@@@@@@@@@@%#=-=-----------=-=------
----------------------------===*%%##%%%%@%@@@@@@@@@@@@@%%%@@@@@@@@@@@@@%+==-------------------
-----------------------------=+#%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*-=-------==---------
---------------------------==#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#---=---------------
---------------------------=+%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%#=---=----==-------
------------------------==**%@@@@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@#----=-=-====-----=
-------------------------=+#%@@@@@@@@@@@@@@@@@@@%%@%%%%%%%@%@@@@@@@@@@@@@@%%------==------=--=
-------------------------+%%%%%@@@@@@@@@@@@%@@%%%@%%%%%%%@@@@%%@@@@@@@@@@%%%%%%%%%%%%%##**++==
-----------------------=-*%%@@@%%%%%%@@@@@@@@@@@@@%%%%%%%%@@%@@%%@@@@@@%@@%##%%%%%%%%%%%%%%%%%
-----------------------==#%%%@@@@@%%@@@@@@@%%%%%%%%%#####%@@@@@#%%%%##%%%%%##%%%%%%%%%%%%%%%%%
------------------------=*%%%@@@@@%@@@%%%%#%@@@@@%%%%%%%%%@@@@@%%%####+**#%%#%%%%%%%%%%%%%%%%%
-------------------------+@@%%%%%%%##%@@@@@@#***#%%%%%%%%@%%%%%#@@@%%*++++*#%#%%%%%%%%%%%%%%%%
-------------------------#%**#%#*+#%=++#***+****+*####%%%%%%#*#%*+++=++++=+*##%###############
------------------------+**#**+===*#+----==+***##+****#%%%%%##*****-+=:-=+#+*##########%%#%%%%
-------------------------=***=---=*%*=-:--:::-=+*****%%%%%%%%#%##*++-:--:-*%*######%%%%%%%%%%%
--------------------------+::::--+%@%*+---=++==-=--==*#%%%%#%###*++-:-==-:=-*##%%%%%%%%%%%%%%%
--------------------------=*****+%@%%#*++=++**#%%%%@%%%%%#****++==+-::--++--###%%%%%%%%%%%%%%%
--------------------------+#****%@@%%###*****##%%%%%%%%#%#***++=++=+::--#+#+##############%%%%
--------------------------*##**#%@@%%%##***#%%@%%%%###*#####***#*+==:+##==**###########*****##
--------------------------+#**#%@@@@%%@%%+#%%@@@%#****#%%####%%%#**-####*#=+############******
--------------------------=++*%####*****##%#%%%%%###%%%##%%#%%%%##=*%%%%*--=###############***
---------------------------**%#+*++=:::=-=@%*#%#%%%%%%%%%%#%%%%%#*@%%%#+--++##################
----------------------=-=-=##%%%*+=*#%@@@@@@%**#%############%%#*#*##*=--=*###****############
-------------=++*=-=-------#%@@@%%%%@@@@@@@@@@@+**##%%#*+*####*+%+-:--+-.:*************#######
----------#@@@@@@@@@@@@@@@@@@@@@@@+=+++*#%%%%@@@@*#%%%##*+***+=%#---=*=...:+**************####
--------=@@@@@@@@@@@@@@@@@%@@@@@@@@+-++++==--=*%%%%%####***+=#%#---+*+...:::::+****+==++++==-:
------:@@@@@@@@@@@@%#@@@@@%@@@@@@@@%+*#**+++++++*%%##***++=+%%#--=*+=::::::::::::-::::::::::::
-----+@@@%*##@@@@%@%%%@@@@@#@@@%%%%#*+**+++****####*++=+=+#%%+-+=*@@::::::::::-:::::::::::::--
----%@@@@%#+-=**%@%%++%@%%%*%@@%%%#=.-*%%%%@@@@@@%%*=+*++%%#===+*%%::::::::----::::::::::::---
---@@@%%%#*=-::*#%%%*:#%%##-#@%#**+.:.:.:*%@@%%%@@%+=#**##===*+*@+:::::::-------::::::::::----
-=@@%%%%#+===:--**++-.-*###:#%%#-:-+*++:...:-*%@%%%+#*++==+*++%@+:-::-:---------::::::::------
%@@%%%*+++==--:=+++=::=#*+=.=%%#=-==+*#*##=:...:+*+++==+*%@@@@@=:--:---:-------.::::::--------
@@%%+*+*+======+=+=--:-***=::-=====++***#*###%#=...-##@@@@@@@@%:----::------:.::::::----------
%#+=.##*++=====#---==-==*=======++++++*+++***++=--#--@@@@@@@@%:-----------:.::-:::::-----::--:
@#--=+++++=-=++============-:----==========--:::*#@@+=@@@@@@@-------------:::-:::---=-:::..:::
%#*+--::==+++++++======--------::::::::#+:::::+%@@@@@:%@@@@@#-------------:::::::---:.....::..
#**++*--:.===+=====-----------::::::-:=#+=:.=*=+@@@@@@.@@@@@:---------------:::::-:......:::..
#**+++++-::::----------------:::::::::##:.-===+++=*@@@:*@@@----------------::::--:......::....
*+++++===--::-:===-=-------::::::-:::.#=..=+=-::--...@@.@@*:---------:-----::::--:.....:::...:
*+==---------::.:-==----------:::-::..#....::::---:....:@@:---------------.:::---......:...:-:
**++++==------==:.:=-------------:::..*...-:-::::::..--+::---------------.::::-:::....::::::--
**+++==------===---..-----------:::...+.:-:::..::::-==@@#---------------:::::-:::....::::::::-
**++=-=-=---=====---:.:--------:::...-=:+:::...:::::@@@@---------------:::::---::....::...::--
+++=:.=------=--------:.------:::...=:--.:....::::*@@@@-:--------------:::-:--::.........::---
=-:..==-------=--------:.:::::::...==:-+-=:::::-%#@@@@#:--------------:::::-::::.......:::--:-
:::.------------=--=----:..::::...=+-:=:-:-::=@@@@@@@@---------------::::-----:::.....::::-::-
Henry senior has setup a meeting with his three children: Marion, Anna and Henry junior. About to retire after a very successful business activity throughout his life, he has decided to retire and divide his 30_000 shares of the company giving his kids 10_000 shares each. For this, they just have to sign the document and receive their piece of the pie.
But you (Henry Junior) have other plans. You wants everything. Will you be able to get the full 30_000 shares of the company?
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/neumoxx-succession/SuccessionCTFTest.t.solNote: This challenge requires vyper compiler version 0.3.0. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
In the Vexillology Challenge, players strive to capture the flag of a specific country, showcasing their expertise in Vyper and tactical gameplay. Can you capture the flag of the country?
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/eloi010-vexillology/VexillologyTest.t.solNote: This challenge requires vyper compiler version 0.3.10. Make sure you have the appropriate virtual environment set up for compilation!
5. qpzm - CTF
Challenge description
...
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/qzpm/CTFTest.t.solNote: This challenge requires vyper compiler version 0.3.0. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
SNAKE the vyper king is born!
Buy $SNAKE tokens, the new $DOGE written in vyper! You can also refer your friends paying gas for them and get 5% of their purchase!
100 ETH has been deposited in this contract. If there was only a way to get it out before the presale ends...
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/federicobianucci-SNAKE-presale/SNAKEPresaleTest.t.solNote: This challenge requires vyper compiler version 0.3.7. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
"In the cozy cafe, patrons gathered to savor the rich c0ffee aroma wafting through the air. The menu boasted many delicious f00d options, from hearty breakfasts to savory lunches. Among the favorites were succulent beef dishes that satisfied even the most discerning palates. For those seeking lighter options, there was the popular decaf c0ffee, allowing patrons to unwind without the caffeine jolt. As the evening approached, some customers decided to call it an evening and went to bed..." X2
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/zac369-byte-brew/ZacByteBrewTest.t.solNote: This challenge requires vyper compiler version 0.3.10. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
...
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/rotcivegaf-argentineballot/BallotTest.t.solNote: This challenge requires vyper compiler version 0.3.7. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
Crowdfund is a token which can be bought and sold at a fixed price directly on it's own contract.. But is it flawed?
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/m4ttm-crowdfund/CrowdFundTest.t.solNote: This challenge requires vyper compiler version 0.2.16. Make sure you have the appropriate virtual environment set up for compilation!
Challenge description
A new Vyper Vault has been just deployed and Alice is about to ape into it with 15 ETH. Your snake sense has been triggered, bite fast and steal everything from the vault.
Access the test script here. Remember, to run this script you must execute:
forge test --match-path test/romeroadrian-vaulty/VaultyTest.t.solNote: This challenge requires vyper compiler version 0.3.10. Make sure you have the appropriate virtual environment set up for compilation!