2.3 KiB

pwn w3bridges

Workshop for "web3" bridge hacking at Hacktivity 2022

You can find the presentation in the docs folder.



  • Web3 vs web2 hacking, concepts / workshop topology
  • Who interacted with dApps/SCs before?
  • Who codes Solidity?
  • Who codes Rust?
  • Who used a bridge before?
  • Who is the cryptographer?

Environment setup, system requirements

  • Any browser for Ethereum, Remix
  • Python3
  • Substrate, Rust nightly

Scenario 1: Token on two chains, mint using receipt

  • Solidity basics, using remix for compile
  • Exploit visibility, take admin
  • ECDSA Ethereum basics
  • Mint with receipt -> Find the vuln!

Scenario 2: Signature forgery (any chain)

  • Deploy SC on Ethereum chain
  • Compile Substrate with EVM
  • Deploy SC on Substrate chain (so it is different from core)
  • Test ECDSA signature forgery exploit from one to other
  • Test same issue with WASM/ink!


Scenario 1

Scenario 2

Solidity Hacking Homework

  1. Crypto Wojak - Who is the admin?
  2. Sminem - Set the password
  3. Crypto Wojak - Make your tries count 2 or more
  4. Crypto Wojak - Make your tries count 2 and get the answer
  5. HODLer - Deposit ether twice with the same address
  6. Crypto Wojak - Execute selfdestruct() +1 Sminem - Create a signature to prove you are Satoshi (see js folder)