Home

Awesome

Blaz CTF 2023

This repo contains the infrastructure & challenges for the Blaz CTF in 2023. The infrasturcture is built on top of kCTF.

Directory:

How launch the challenge locally?

  1. cd into infrastucture/paradigmctf.py and run docker-compose up -d to start the infra servers.
  2. cd into challenges/<challenge_name>/challenge and run docker-compose up -d to start the challenge server.
  3. nc localhost 1337 to manage instance.

Remember to delete existing instance before you switch to another challenge.

Challenges

Below is the list of challenges and authors' solution.

Hello World

By tonyke (@tonyke_bot) / 9 Points

Description:

Tony heard about Ethereum and decided to explore. Soon, he discovered an interesting transaction: 0xe19bd1067cbdc46d6fdb8b374e3ca384c32fd88e1413a9434e03c36b36924877

Solution: https://github.com/fuzzland/blaz-ctf-2023/blob/main/solutions/hello-world.md

Rock Scissor Paper

By tonyke (@tonyke_bot) / 99 Points / Handouts

Description:

Tony found out average salary of smart contract developers could reach millions of dollars. He started to learn about Solidity and deployed his first ever smart contract of epic rock scissor paper game!

Solution: https://github.com/fuzzland/blaz-ctf-2023/blob/main/solutions/rock-paper-scissor.md

Eazy NFT

By doudou (@i0xAWM) / 111 Points / Handouts

Description:

NFT market was slowly booming and Tony's friends were showing off their NFT holdings. Tony had finally whitelisted a NFT project, he's anxiously waiting for minting his first NFT.

Solution: https://github.com/fuzzland/blaz-ctf-2023/blob/main/solutions/eazy-nft.md

Hide on Bush

By tonyke (@tonyke_bot) / 286 Points / Handouts

Description:

Tony wanted to buy Azuki NFT with ETHs but he only had USDT. He gave Uniswap a try to swap for some ETHs. He had no idea about slippage and set it to 100. Tony later discovered that he recived no ETHs. He cried all day.

Solution: https://github.com/fuzzland/blaz-ctf-2023/blob/main/solutions/hide-on-bush.md

Missing

By doudou (@i0xAWM) / 383 Points / Handouts

Description:

Tony is dizzy by Web3's various projects and technologies. He needs to clear his veins. Let's see what he will do.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/missing

Lockless Swap

By shou (@shoucccc) / 165 Points / Handouts

Description:

With all his fancy onchain games built, Tony got successfully hired by Pancakeswap. He was in charge of reducing gas cost when swapping tokens. One day, he figured reentrancy lock keeps writing storage, which is quite costly. He secretly removed the lock, handed to CertiK for audits, and deployed the new gas-savvy Pancakeswap V2.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/lockless-swap

Ketai

By shou (@shoucccc) / 253 Points / Handouts

Description:

Tony got fired from Pancakeswap. To pay his rents, Tony started to build shitcoins. Here is his first shitcoin Ketai. Luckily, Tony was friend of CZ and secured $5m investment for Ketai.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/ketai

Tornado Crash

By Hanzhi (Riema Labs) @MisakaCenter / 478 Points / Handouts

Description:

Ether price plummeted. Tony figured Ethereum would die shortly. After his friends told him ZK was going to be the next hot spot, Tony started to learn ZK. However, he was so bad at math that he couldn't even understand simple concepts. To get hired as a ZK engineer, Tony deployed an ancient ZK protocols to the chain, claiming it is built by him.

Note: This challenge uses the same code as <a href="https://github.com/barryWhiteHat/miximus">Miximus</a> with <a href="https://drive.google.com/file/d/1OMziktfWAvCr-twkNl74IxAay6YEis7R/view?usp=sharing">this proving key</a>

Solution: N/A

Cup of Tea

By yype (@_yype) / 405 Points / Handouts

Description:

Tony got some $sui from his friend Shou. He decided to contribute to the ecosystem. Here is his first ever Move module built.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/cup-of-tea

Saluting Ducks

By shou (@shoucccc) / 405 Points / Handouts

Description:

All Tony's shitcoins got hacked. Liquidity providers of those shitcoins sued Tony.
To reimburse the liquidity providers, Tony built a GameFi about ducks (ducks are the cutest animal!)

Hint 1: What happens when you compare values of different types in JS?

Hint 2: To solve this challenge, you need to leverage different JS features / common vulnerabilities.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/saluting-ducks.md

Be biLlionAireS Today

By shou (@shoucccc) / 253 Points / Handouts

Description:

Tony led the tech team for a shady Ethereum L2. He assured the CEO that a multi-signature wallet architecture would help protect user funds. He claimed private keys of multisig owners were stored in different hardware wallets and tattooed under his feet so it is super safe.

Note: This challenge runs on fork of Ethereum. Tony added three additional addresses to the multisig:

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/be-billionaire-today.md

Maze

By publicqi (@publicqi) / 195 Points / Handouts

Description:

Tony made billions $ from rug pulling. He bought an island in Fiji, started to study philosophy, and devoted to learning labyrinth.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/maze

Ghost

By Robert Chen (OtterSec) @notdeghost / 274 Points / Handouts

Description:

"Memory cannot be defined, yet it defines mankind."

Solution: N/A

Jambo

By publicqi (@publicqi) / 158 Points / Handouts

Description:

Tony went crazy. No one knows what he has deployed on Ethereum.

Solution: https://github.com/fuzzland/blaz-ctf-2023/tree/main/solutions/jambo