Secureum A-MAZE-X Maison de la Chimie, DeFi Security Summit

A Smart Contract Security Capture the Flag Workshop

*Hosted by Defi Security Summit as part of Defi Security 101*
Built with love by eugenioclrc, luksgrin, PeterisPrieditis, RomiRand and misirov
Special thanks to patrickd, StErMi, tinchoabbate and Rajeev for reviewing, commenting and helping during the elaboration and design of this CTF Workshop

---

Contents

1. Instructions 🕹️
   • Flavors
   • How to play ♘
2. Challenges 🎮
3. CTF Writeup 🗒️🗒️🗒️

Instructions 🕹️

This Workshop consists in a series of challenges, of increasing difficulty, targeting different concepts and common vulnerabilities found in DeFi. The CTF consists of a series of challenges suitable for different levels of expertise.

---

Flavors

This workshop provides different flavors. Feel free to use the one you feel more comfortable with:

• Option 1: Locally with Foundry
• Option 2: Online through Gitpod, using Foundry

---

Important note

This set of challenges aren't set for competitive purposes. Their main objective is to showcase scenarios involving DeFi, Solidity concepts and common vulnerabilities.

Focus on learning and having fun! 😊

How to play ♘

This challenge is thought for users who are very familiar with Solidity and do not want to use additional languages. The following setup tutorial will guide you through the installation of Foundry and its setup.

Clone this repository

Run the command below to clone this repository into your local machine

git clone https://github.com/secureum/AMAZEX-DSS-PARIS.git
cd AMAZEX-DSS-PARIS

Install Foundry (if you don't have Foundry already installed)

Run the command below to get foundryup the Foundry toolchain installer:

curl -L https://foundry.paradigm.xyz | bash

Then, in a new terminal session (or after reloading your PATH environmental variable), run foundryup to get the latest forge and cast binaries:

foundryup

And finally, install the repository's dependencies by entering it and running:

forge install

Note that you might have to restart your terminal for the forge command to become available.

At this point you should be all set. If not, check Foundry's installation troubleshooting.

Solving a challenge

Challenge contracts are located in the subdirectories of the src/ directory. Do not modify them, as it may lead to unexpected behaviors within the challenges.

To solve a challenge, you must open the corresponding test/ChallengeX.t.sol (where X is a number) and add your exploit code in the signalized areas within said file.

Then, to check if the challenge has been solved, execute the following command

forge test --match-path test/ChallengeX.t.sol

If the solution criteria have been reached, it shall display the following message

Running 1 test for test/ChallengeX.t.sol:ChallengeXTest
[PASS] testChallenge() (gas: XXXX)
Test result: ok. 1 passed; 0 failed; finished in XXXms

Alternatively, to check if all challenges have been solved, execute the following command:

bash isSolved.sh

which will return the test results for all challenges in order.

If one wishes to have a more detailed prompt (i.e. to see the logged messages), it is necessary to increase the verbosity with -vvvv, for example:

forge test --match-path test/ChallengeX.t.sol -vvvv

---

Challenges 🎮

• Challenge 1: Operation magic redemption 🪄🔮
• Challenge 2: Mission Modern WETH: Rescue the Ether 🧗🧭
• Challenge 3: LendEx pool hack 🤺🃏
• Challenge 4: Operation Rescue POSI Token! 💼🔓
• Challenge 5: Balloon Vault 🎈🎈
• Challenge 6: Safe Yield? 🏦📈
• Challenge 7: Crystal DAO 💎💎
• Challenge 8: Liquidatoooor 🔱🔱

---

Slides

Find the slides of the event's presentation here.

---

CTF Writeup 🗒️🗒️🗒️

Writeups will be available after the event

SOLUTIONS