The Chrysalis Attack-a-thon

Chrysalis Mar 18, 2021

The IOTA Foundation members and the IOTA ecosystem are eager to see Chrysalis on mainnet. Now after months of development, testing and auditing by external companies we are nearly ready for the transition to Chrysalis.

In the lead up to the network upgrade we are inviting the IOTA community members to the Chrysalis Attack-a-thon!

With the Attack-a-thon we would like to challenge you to try and break different parts of Chrysalis. You will be rewarded for your findings.

The Chrysalis Attack-a-thon is a security researcher/developer/rustacean oriented challenge. Everyone is invited to join and try to grab a few small prizes. It’s intended as a fun community experience, which you will see reflected in the rewards.

The Attack-a-thon runs for around 10 days: it starts on the 18th of March 2021 at 2PM UTC and ends with the 28th of March 2021 at 11:59 PM UTC.

Note. Don’t mistake this with IOTA’s “incentivized testnet” which will be launched after the Coordicide testnet reaches its “Nectar” stage.

The scope of the Attack-a-thon challenge

In the scope of the Chrysalis Attack-a-thon are the following IOTA components:

Categories, rewards and how to participate

There are lots of areas to explore in the Chrysalis upgrade, therefore we have defined categories for the submissions. Every category is connected to one or more rewards.

The rules of engagement are pretty simple:

  • The first to submit a valid entry during the defined time period gets the prize
  • Every issue in the scope counts singularly (e.g. If an injection makes it possible to escalate privileges it counts as two issues)
  • The evaluation committee might count the submission if it is a particular vulnerability outside of the proposed scope although very connected to Chrysalis

Categories

Four kind of priorities for the findings were defined:
The priorities are essentially all about cost/benefit ratio. And cost and benefit should be considered as broad terms: cost can be effort, time, money, coordination required, etc; benefit could be monetary, reputational, competitive advantage, etc.

Priority 1

Severity: corrupts/stops the network entirely. Arbitrarily changes the balances of many users.
Likelihood: medium/high (an attack can be carried out with little or no advanced resources).

  • Consensus split of the network (practical attack).
  • Arbitrary account (steal tokens) takeover.
  • Double-spending existing funds or use funds “out of thin air” or Treasury Output.
  • Stopping networks confirmations altogether (Coordinator).
  • Reverting a confirmed transaction.

Priority 2

Severity: compromise the entire network with low likelihood or consistently affect specific actors in the network with moderate resources.
Likelihood: medium/low (an attack can be carried out under special conditions, with moderate or high difficulty to create).

  • Consensus split of the network (theoretical attack).
  • Censoring of arbitrary accounts, preventing confirmations.
  • Get the network to accept Messages that violate established "validation" rules: insufficient PoW, malformed messages, breach dust rules, etc.
  • Eclipse-attack, arbitrarily controlling node’s peering.

Priority 3

Severity: Attacks that affect a limited number of actors in the network.
Likelihood: medium/low, an attack can be carried out under special conditions, with moderate or high difficulty to create.

  • Causing nodes to crash or hang under “average” network load.
  • Cause a node to drop connection to an arbitrary peer.
  • Reducing overall confirmation rate consistently below 50% without holding more than 20% hash-rate.
  • Manipulate single wallet user experience to trick unwanted actions: pay to incorrect address, show bogus confirmation states, expose secret material, hijack migration process.

Priority 4

Severity: disrupting end-user usability of the network, availability disruptions, etc.
Likelihood: medium/low.

  • Prevent new nodes from joining the network.
  • Preventing wallets to load Tangle data.
  • Crash individual nodes under hard-to-obtain specific conditions.

Exclusions

What will not be evaluated (although a submission of the issue is still very welcome):

  • Graphical bugs (wrong shape of a box, text not aligned and similar things)
  • Typos (unless they can be used for an attack)
  • Bugs that involve manipulation of the underlying runtime environment without exploiting app-specific bugs (e.g. malware running on the OS, malicious administrator user on the same system, etc.)
  • Getting the nodes out of sync with a lot of spam without crashing the coordinator

Rewards

Everyone that submits an issue deemed valid by the evaluation committee and is an IOTA Discord community member receives the dedicated Tanglebreaker badge to be recognized by our community.

Priority 1

IOTA branded Ledger Nano S for the first 10 submissions that qualify as P1
T-Shirt with custom design*
€2,500 in IOTA Tokens

Priority 2

IOTA branded Ledger Nano for the first 7 submissions that qualify as P2
T-Shirt with custom design*
€1,500 in IOTA Tokens

Priority 3

IOTA branded Ledger Nano for the first 5 submissions that qualify as P3
T-Shirt with custom design*
€1,000 in IOTA Tokens

Priority 4

IOTA branded Ledger Nano for the first 3 submissions that qualify as P4
T-Shirt with custom design*
€500 in IOTA Tokens

* by the IOTA Foundation design team

Terms and conditions

  • Prizes cannot be paid out to participants currently residing in countries subject to international sanctions imposed by the UNSC, OFAC and the EU or personally named on a Specially Designated National and Blocked Persons Lists (SDN) published by the aforementioned bodies
  • Excluded from participation are all employees and contractors of IF as well as any person who has already been working professionally on any parts of the Chrysalis code

How to participate

As soon as you find an issue that falls under the categories described above, jump to the related GitHub repository and submit an Attack-a-thon issue using the pre-defined issue template:

Attack-a-thon Issue template

The issue has to be structured as follows to be taken in consideration by the evaluation committee.

Description: What component was used (e.g. iota.rs python binding) and how

Impact: Describe the vulnerability and its potential impact.

Proof of Concept: Give a detailed description of the steps, tools and versions needed to reproduce the issue (proof of concept scripts or screenshots are helpful).

By submitting the issue, the submitter warrants the report and any attachments do not violate the intellectual property rights of any third party, and the submitter grants the IOTA Foundation a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.

The evaluation committee

The submitted issues will be verified by IOTA Foundation members for correctness and will reply to the issue on GitHub to confirm or not the validity of the issue and define the category it falls under.

Starting with the 8th of April 2021 the winning participants will be contacted by the Community Manager, Antonio Nardella, with a comment on the submitted issue.
The following verification and information exchange process to get the rewards will require you to publish a public gist, with information shared by e-mail.

STRONGHOLD CTF

Somewhere in the blog article about Stronghold's beta release, we have hidden a Stronghold Snapshot. You are invited to search for it using all the normal tricks of the trade, and once you have found it, attempt to break into its security systems. Within this Snapshot is a real IOTA Seed with 3.78 GIOTA attached to it.

The rules are simple:

1. Find the snapshot
2. Break the snapshot's encryption
3. Discover the seed's vault and path
4. Transfer the tokens to your own wallet

Visit the Discussion at Stronghold's Github repository about the CTF for rules and participation.


We welcome everyone to stop by on Discord in the #attack-a-thon channel and to follow us on Twitter to keep track of all the latest news!

Tags

Antonio Nardella

IOTA Community Manager Tech Consultant, technology-minded builder with focus on practical solutions. Particular interests in Free Open Source Software (FOSS).