Publication date: July 11, 2019

The Standoff developer hackathon: a fun debut

At PHDays 9, we added something new to The Standoff: a hackathon for developers. Teams of attackers and defenders fought for control of a mock digital city, as usual. But all the while, there were also developers working around the clock to make application updates and maintain uninterrupted uptime under a crush of attacks.

Four teams applied to take part in the hackathon. Each represented a different non-commercial project. Of them, only Bitaps (bitaps.com) made the cut. Bitaps publishes analysis of the blockchain of Bitcoin, Ethereum, and other cryptocurrencies, in addition to offering payment processing and developing a cryptocurrency wallet.

A few days before The Standoff was due to start, we gave Bitaps remote access to the game infrastructure in order to install their application (which was hosted in the unprotected segment of the city network). During the game, attacker teams, in addition to their usual attempts against city infrastructure, could scour the Bitaps application for vulnerabilities. The attackers sent a bug bounty report for each vulnerability found. The organizers verified these reports and gave the developers the opportunity to implement a fix. For each confirmed vulnerability, the relevant attacker team was rewarded with in-game currency and the developer team was penalized.

What's more, the organizers could shake things up by sending feature requests. The developers worked feverishly to add functionality without creating new security issues. Success was measured in money: implementing feature requests, as well as each minute of proper application operation, brought credits. But the developers lost money for each vulnerability, each minute of downtime, and each minute of improper operation of the application. Our bots monitored the situation closely: if they detected an issue with the application, we informed the Bitaps team and gave them a chance to resolve it. No resolution? Get ready to see losses. Just like in real life!

On Day 1, the attackers gently probed for vulnerabilities, finding only a few minor ones that were fixed quickly. Around 11 p.m., when the developers were feeling snug and safe, we caught their attention with a feature request. The feature was a tricky one: based on the application's existing payment processing capabilities, the developers' job was to implement a service to transfer tokens between two wallets by clicking a link. The payment sender (application user) should go to a special page, enter an amount, and set a one-time password for the payment. The application then should generate a unique link, which is sent to the payment recipient. The recipient opens the link, enters the one-time password, and indicates the wallet to credit the payment to.

Filled with excitement, the team got down to work. By 4 a.m. link-based token transfers were ready to roll. This quickly caught adversaries' attention. After a few hours, attackers succeeded in finding a minor XSS vulnerability, which they reported. We checked and confirmed it. The developers made a fix.

On Day 2, the attackers turned their full attention to the offices of the virtual city. With this respite, the developers could finally rest after a very long night.

For their tireless work during the two-day competition, the Bitaps developers scored fun souvenirs from the organizers.

As the developers themselves put it, the hackathon was a great way to stress-test their application and confirm its high degree of security. Alexey Karpov, a member of the Bitaps developer team, found the event challenging but rewarding: "The hackathon is a wonderful opportunity to check for security holes and get input on the quality of your code. We dug in and, ultimately, withstood the onslaught. It was quite the experience! You have to write good code quickly and under pressure, knowing that the odds of a bug creeping in are high. In conditions like these, you're forced to draw on every skill you've got."

We plan to host another hackathon at The Standoff next year. Check the PHDays site for all the latest!

All news