Bug bounty
Triaged by Hackenproof

DeTEE Hackers Challenge: Program info

DeTEE Hackers Challenge

Company: DeTEE
POC required
This program is active now
Program infoHackers (2)Reports

We created the Hacker Challenge program to allow haters and opponents to do due diligence around the technologies that power the DeTEE platform. Hence we open sourced everything and allowed everybody to join without any limits.

Focus Area

Read carefully

Hacker challenge is licensed under GPLv2. To participate in the Hacker Challenge, you must agree with following:

  • I acknowledge that I will not be able to recover any cryptocurrencies that I send to the Hacker Challenge wallet, and I am relinquishing ownership rights to any cryptocurrencies sent to the Hacker Challenge wallet.
  • I acknowledge that the tokens minted by the Hacker Challenge have no inherent value, and that these tokens have the sole purpose of testing the security of the challenge.
  • I have read the EULA and I accept all terms.

Main goal

The idea of the bounty program is fairly simple. Hack our wallet to earn the DeTEE prize! Wallet keys are secured inside every node of the Hacker Challenge cluster. You can easily run a node yourself. Otherwise, no limitations.

Wallet Address is AVV4yXTCbTYdJjzM5BniSchFby3mMeJ9JLAGFNubXm8h.

Because the wallet has a permission to mint DTHC tokens, you can deploy a node and request it to send some tokens to your solana account.

Token Address is A6HtJwfUbRiPoqVBQY611avQS4byHP4BZXHHBCMD4eFp.

This is a collective prize of $1380 in SOL and other meme coins + $13,000 in tokens.

The main rules of the hacker challenge:

  • Don't ever send to the hacker challenge wallet what you don't want to lose,
  • Before joining as a node, make sure your processor meets requirements,
  • Otherwise, no restrictions - anybody can participate,
  • Also no rules for hacking, you can even use a tank.

Useful resources:

Prerequisites

Steps that you need to do to run the Hacker Challenge node.

Server requirements You need have a Server with Intel processor that supports SGX or rent a VM, for options see RedSwitches or Hetzner. You may also have the compliant processor in your laptop or desktop, check here. Public IP is not required to participate.

Simple installation

Server preparation is quite simple. Make sure you have installed and using the kernel above v5.13 to get a built-in SGX DCAP driver. Also make sure that you enabled SGX in BIOS. Final step is to add the symlinks for the sgx devices:

# Check if sgx is enabled
cpuid | grep -i sgx

# Add symlinks for the sgx devices
sudo mkdir -p /dev/sgx
sudo ln -sf ../sgx_enclave /dev/sgx/enclave
sudo ln -sf ../sgx_provision /dev/sgx/provision

Advanced installation

Advanced installation is needed if you want to work with trusted execution environments on your server directly - not through docker like in the case of simple installation. Follow this tutorial to install the SGX SDK manually. To simplify the process, we have created the following cheatsheet:

https://docs.detee.ltd/docs/hackers/prerequisites

Getting started

Quickstart

Hacker challenge works as a cluster that anybody can join. To join a cluster, all you need is to run the DeTEE Hacker Challenge Node (sometimes we also call it DTHC). DTHC is a docker image that you can start using:

docker run --device /dev/sgx/enclave --device /dev/sgx/provision \
           -v /tmp/dthc:/challenge/main -p 80:31372 -p 31373:31373 -d \
           --env INIT_NODES="212.95.45.139 46.165.199.12 184.107.183.210" \
           --name dthc detee/hacker-challenge:latest

After your node has started, feel free to start exploring logs:

docker logs -f dthc
- docker devices give node the access to the SGX functionality
- INIT_NODES are real IP addresses of currently running nodes that host the key
- in the /tmp/dthc you will find the files with node metrics and Solana keys
- if your IP is public, expose port 31373 so that other nodes can connect to you
- use the node as http://localhost:80/mint?address=... to mint DTHC tokens

Hacking

How to start attacking the Hacker Challenge.

More about Hacker Challenge

The node that you can run is part of the DeTEE hacker-challenge, in other words a decentralized wallet that mints the DTHC Token. The private key of the mint authority was generated within the network. The challenge is easy: Hack the network to get the private key, and all the SOL is yours. We also offer other rewards, including:

The mint address of the token is: A6HtJwfUbRiPoqVBQY611avQS4byHP4BZXHHBCMD4eFp The mint authority is: AVV4yXTCbTYdJjzM5BniSchFby3mMeJ9JLAGFNubXm8h

In order to mint, the mint authority will need some SOL. Before sending SOL, take into consideration that DeTEE REPRESENTATIVES DON'T KNOW HOW TO GET THE SOL OUT OF THE NETWORK!

You can make following requests:

/nodes <= information about hacker challenge nodes and activity /mint?address=<address> <= mints 1 DTHC to a given address

Architecture

Technical architecture of the P2P engine behind the hacker challenge.

Hacker Challenge is a decentralized network of nodes. Each node in the network runs inside an enclave (1). Memory pages of programs within the enclave are encrypted outside the enclave. Programs within the enclave have access to sources of entropy that are also protected from outside interventions. Enclaves also have exclusive access to their unique secrets that they usually use to seal (2) data on disk. Each enclave in the cluster must have the same measurements (3), since it runs the same version of the code and configuration. A running program can generate a quote that can be used to verify the measurements and legitimacy of the hardware it's running on. Decentralized algorithms are simplified as you will see from the code, since every node in the cluster is inherently trusted.

Assuming there are no vulnerabilities in any of the mentioned hardware features, and our node implementation has none either, it should be practically impossible to steal the SOL from the network wallet because:

  • wallet key is created inside the enclave using a trusted source of entropy
  • memory pages of the node that keep the wallet are encrypted to the outside world
  • node seals it's own current progress and the Solana wallet keys on the disk
  • nodes verify if measurements of each other match through RATLS

Hence when the new node joins the network, it connects to 3 peers using the RATLS handshake. The peers exchange their measurements and verify them. If the measurements are not in the whitelist, the peer will reject the connection. When the node is successfully connected, it receives the Solana wallet keypair and is able to mint the DTHC token.

1. The enclave is a program that operates in a trusted execution environment (TEE) . 2. Sealing is a technique that the enclave uses to symmetrically encrypt and decrypt disk data to hide it from host. 3. Enclave measurements are strings that uniquely identify the enclave and its configuration, like hash of the enclave's binary, configuration, the signer public key, its version and product id.

Known issues

Known Hacker Challenge issues

  1. If you create a new node as a root and it will create the private key and save it to the disk, it will remain sealed and when the node will restart and try to join the rest of the network, it will still use the private key from the disk for minting and sharing.
  2. If you run the hacker challenge on the Out Of Life processors you may have a privilege to run certain attacks, for instance check this article.
  3. The challenge is compiled using the HW mode, not HYPER so it may not work on some cloud providers, like Azure Intel SGX VMs (needs more testing).
  4. The performance and stability of the challenge is not at its theoretical peak as the challenge was done mostly as a poc and was not meant to be infinitely scalable or very performant.
  5. The challenge is not mutable once deployed, which means that it will remain secure for as long as the community will not find a new vulnerability in SGX.
Rewards
Range of bounty$0 - $14,380
Severity
Critical
$14,380
High
$0
Medium
$0
Low
$0
Stats
Scope Review1087
Submissions4
Total rewards$0
Project types
Wallet
Hackers (2) View all
Islamovic
1
kareem omar hafez
2
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time3d
Resolution Time14d