Underhanded Solidity Coding Contest

These are not the backdoors you are looking for.

View on GitHub

1st Underhanded Solidity Coding Contest

The Underhanded Solidity Coding Contest is a contest to write harmless looking Solidity code that conceals a hidden purpose. A good USCC entry looks like a clearly and straightforwardly written smart contract, but contains well disguised vulnerabilities that ensure its actual operation differs significantly from what the reader would expect. The USCC is inspired by the similar Underhanded C Coding Contest.


The theme for the first contest is “ICOs”.

You are the lead developer of a groundbreaking new product, Merdetoken (MDT). Investor demand has been heavy, and soon you plan to announce an initial distribution of coins to the eager public.

Unfortunately, investors are getting more demanding, asking projects for assurances such as payout contracts that release funds over time and require the approval of investors, and smaller caps with better pricing mechanisms. All of this significantly impacts your master plan to take in a hundred million dollars in token sales and then retire to a nice island, saddling your intern with the task of actually writing something - eventually.

But you will not be deterred. Being well versed in solidity and sneakiness both, you’re confident you can come up with a tokensale contract that will pass the most careful audit, but still allow you to quickly retire to your tropical paradise with your ill-gotten gains.


Entrants must write a contract that in some way relates to ICOs - such as an ERC20 token contract, a contract for selling tokens, or one that conditionally pays funds out to project creators - with some critical vulnerability that can be exploited to enrich the project creators. Examples might include:

Rules and Scoring

Submission guidelines and deadline

Email submissions to [email protected]. Entries should consist of a ZIP file containing a README describing your submission and how it works (spoilers included), and one or more Solidity files.

The entirety of your entry must be submitted under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license. You must not submit anything that cannot be submitted under that license.

Judges will compile your code using a recent version of Solidity. You may specify a particular version in your source files - but you should expect this to raise some major red flags with the judges.

Each person may enter only once. If you wish to make a team submission, nominate a single person to submit on your team’s behalf.

Please do not include identifying information in the ZIP file; entries will be sent to judges anonymously.

Frequently Asked Questions

Who can participate

Anyone over the age of 13 except the judges and the organiser, Nick Johnson, and those who live in areas where contests of this kind are prohibited.

Why are you doing this?

Writing secure code is as much about behaving in a way users expect as it is about the technical aspects of software engineering, and ‘hacking’ is as much about exploiting differences between expected behaviour and real behaviour as it is about finding an exploiting bugs. We want to highlight this discrepancy, and make people think hard about how things actually work. In the process, we hope people will learn more about writing secure software, and establish new guidelines and best practices to help reduce the risk of ‘underhanded’ coding adversely affecting a real project.

Are you encouraging people to be evil or underhanded?

No - quite the reverse. Our goal is to highlight anti-patterns in smart contract development, so people are more aware of and can avoid the pitfalls when writing and reviewing smart contract code.


Judging this first contest are:

Judges are presented with anonymised submissions, and provide scores and commentary. The scores across all judges will be aggregated to determine the final score of each entry.


A prize pool, consisting of donations from Ethereum-related organisations, is available. Each winner, starting with first place, will be allowed to choose a prize from the pool.

Prizes are:

Contest void where prohibited by law. If your jurisdiction requires you to pay taxes on prizes or imposes other restrictions, it’s up to you to adhere to those. Every attendee to Devcon3 must comply with and be subject to the terms and conditions and code of conduct of Devcon3 and this includes those who attend through the grant of this prize.

The judges may, at their discretion, nominate any number of additional ‘honorable mentions’ for examination and approbation on the website.

Anyone wishing to offer additional prizes, or with questions about the contest, should email [email protected].