The Chrysalis Attack-a-Thon
The IOTA Foundation members and the IOTA ecosystem are eager to see Chrysalis on the mainnet. Now after months of development, testing and auditing by external companies we are nearly ready for the transition to Chrysalis.
In the lead-up to the network upgrade, we are inviting the IOTA community members to the Chrysalis Attack-a-Thon!
With the Attack-a-Thon we would like to challenge you to try and break different parts of Chrysalis. You will be rewarded for your findings.
The Chrysalis Attack-a-Thon is a security researcher/developer/rustacean-oriented challenge. Everyone is invited to join and try to grab a few small prizes. It’s intended as a fun community experience, which you will see reflected in the rewards.
The Attack-a-Thon runs for around 10 days: it starts on the 18th of March 2021 at 2PM UTC and ends on the 28th of March 2021 at 11:59 PM UTC.
Note. Don’t mistake this with IOTA’s “incentivized testnet” which will be launched after the Coordicide testnet reaches its “Nectar” stage.
The scope of the Attack-a-Thon challenge
In the scope of the Chrysalis Attack-a-Thon are the following IOTA components:
- The IOTA Node Software
- Libraries
- stronghold.rs (The dev branch)
Categories, rewards and how to participate
There are lots of areas to explore in the Chrysalis upgrade, therefore we have defined categories for the submissions. Every category is connected to one or more rewards.
The rules of engagement are pretty simple:
- The first to submit a valid entry during the defined time period gets the prize
- Every issue in the scope counts singularly (e.g. If an injection makes it possible to escalate privileges it counts as two issues)
- The evaluation committee might count the submission if it is a particular vulnerability outside of the proposed scope although very connected to Chrysalis
Categories
Four kinds of priorities for the findings were defined:
The priorities are essentially all about the cost/benefit ratio. And cost and benefit should be considered in broad terms: cost can be effort, time, money, the coordination required, etc; benefit could be monetary, reputational, competitive advantage, etc.
Priority 1
Severity: corrupts/stops the network entirely. Arbitrarily changes the balances of many users.
Likelihood: medium/high (an attack can be carried out with little or no advanced resources).
- Consensus split of the network (practical attack).
- Arbitrary account (steal tokens) takeover.
- Double-spending existing funds or use funds “out of thin air” or Treasury Output.
- Stopping network confirmations altogether (Coordinator).
- Reverting a confirmed transaction.
Priority 2
Severity: compromise the entire network with low likelihood or consistently affect specific actors in the network with moderate resources.
Likelihood: medium/low (an attack can be carried out under special conditions, with moderate or high difficulty to create).
- Consensus split of the network (theoretical attack).
- Censoring arbitrary accounts, preventing confirmations.
- Get the network to accept Messages that violate established "validation" rules: insufficient PoW, malformed messages, breach dust rules, etc.
- Eclipse attack, arbitrarily controlling node’s peering.
Priority 3
Severity: Attacks that affect a limited number of actors in the network.
Likelihood: medium/low, an attack can be carried out under special conditions, with moderate or high difficulty to create.
- Causing nodes to crash or hang under “average” network load.
- Cause a node to drop connection to an arbitrary peer.
- Reducing overall confirmation rate consistently below 50% without holding more than 20% hash rate.
- Manipulate single wallet user experience to trick unwanted actions: pay to an incorrect address, show bogus confirmation states, expose secret material, hijack migration process.
Priority 4
Severity: disrupting end-user usability of the network, availability disruptions, etc.
Likelihood: medium/low.
- Prevent new nodes from joining the network.
- Preventing wallets to load Tangle data.
- Crash individual nodes under hard-to-obtain specific conditions.
Exclusions
What will not be evaluated (although submission of the issue is still very welcome):
- Graphical bugs (wrong shape of a box, text not aligned and similar things)
- Typos (unless they can be used for an attack)
- Bugs that involve manipulation of the underlying runtime environment without exploiting app-specific bugs (e.g. malware running on the OS, malicious administrator user on the same system, etc.)
- Getting the nodes out of sync with a lot of spam without crashing the coordinator
Rewards
Everyone that submits an issue deemed valid by the evaluation committee and is an IOTA Discord community member receives the dedicated Tanglebreaker badge to be recognized by our community.
Priority 1
IOTA branded Ledger Nano S for the first 10 submissions that qualify as P1
T-Shirt with custom design*
€2,500 in IOTA Tokens
Priority 2
IOTA branded Ledger Nano for the first 7 submissions that qualify as P2
T-Shirt with custom design*
€1,500 in IOTA Tokens
Priority 3
IOTA branded Ledger Nano for the first 5 submissions that qualify as P3
T-Shirt with custom design*
€1,000 in IOTA Tokens
Priority 4
IOTA branded Ledger Nano for the first 3 submissions that qualify as P4
T-Shirt with custom design*
€500 in IOTA Tokens
* by the IOTA Foundation design team
Terms and conditions
- Prizes cannot be paid out to participants currently residing in countries subject to international sanctions imposed by the UNSC, OFAC and the EU or personally named on a Specially Designated National and Blocked Persons Lists (SDN) published by the aforementioned bodies
- Excluded from participation are all employees and contractors of IF as well as any person who has already been working professionally on any parts of the Chrysalis code
How to participate
As soon as you find an issue that falls under the categories described above, jump to the related GitHub repository and submit an Attack-a-Thon issue using the pre-defined issue template:
The issue has to be structured as follows to be taken into consideration by the evaluation committee.
Description: What component was used (e.g. iota.rs python binding) and how
Impact: Describe the vulnerability and its potential impact.
Proof of Concept: Give a detailed description of the steps, tools and versions needed to reproduce the issue (proof of concept scripts or screenshots are helpful).
By submitting the issue, the submitter warrants the report and any attachments do not violate the intellectual property rights of any third party, and the submitter grants the IOTA Foundation a non-exclusive, royalty-free, worldwide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.
The evaluation committee
IOTA Foundation members will verify the submitted issues and will reply to the issue on GitHub to confirm or not the validity of the issue and define the category it falls under.
Starting with the 8th of April 2021 the winning participants will be contacted by the Community Manager, Antonio Nardella, with a comment on the submitted issue.
The following verification and information exchange process to get the rewards will require you to publish a public gist, with information shared by e-mail.
Stronghold CTF
Somewhere in the blog article about Stronghold's beta release, we have hidden a Stronghold Snapshot. You are invited to search for it using all the normal tricks of the trade, and once you have found it, attempt to break into its security systems. Within this Snapshot is a real IOTA Seed with 3.78 GIOTA attached to it.
The rules are simple:
1. Find the snapshot
2. Break the snapshot's encryption
3. Discover the seed's vault and path
4. Transfer the tokens to your own wallet
Visit the discussion at Stronghold's GitHub repository about the CTF for rules and participation.
Follow us on our official channels for the latest updates:
Discord | Twitter | LinkedIn | Instagram | YouTube