While blockchain protocols are typically secure, the decentralized apps (dapps) utilizing them may still contain a host of vulnerabilities. In addition to the bugs that exist in traditional software, blockchain smart contracts include numerous areas of which a hacker can take advantage, if you’re not careful.

Capture the Ether is a game to help you learn about those vulnerabilities. The goal of the game is straightforward – exploit vulnerabilities in Ethereum smart contracts to capture ether and complete the challenges.

Just as we did with the vulnerable FumbleChain, our team of experts applied our blockchain penetration testing methodologies to Capture the Ether, completing every challenge it threw at us. Here’s what we found.

WARNING: The remainder of this article contains solutions to numerous Capture the Ether challenges. If you’re planning on completing Capture the Ether yourself, you may want to do so before finishing this article.

.

.

.

.

.

.

.

.

.

.

.

.

.

Part 1: Finding Vulnerabilities in Lotteries

In part one of our Capture the Ether series, we show you how to apply static code analysis to discover common vulnerabilities in blockchain lotteries. Gambling and gaming platforms are some of the most prolific dapps on the Ethereum blockchain. Because many of them include lottery aspects, it’s no surprise that Capture the Ether begins here.

In each of the following lottery challenges, our goal is to correctly guess the winning number as we place our bet. Let’s dig in.

Challenge 1: Guess the Number

As you’ll notice throughout these challenges, our first step is to always look through the smart contract code to gain a better understanding of its logistics. A glance through the code in the first challenge reveals a glaring mistake. Can you spot it?