BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)
Sup Stackers!Sup Stackers!
I’m offering a bounty to anyone who can break my plugin and force an unauthorized payout. If you succeed, you take whatever funds are in the quiz wallet, plus additional prizes if you document your method and suggest a fix.
Even if you don’t hack it, you still get 10 sats just for taking the quiz! So give it a shot and send me any feedback—either here or via email at bitcoin-mastermind.negligee018@passinbox.com.
Here’s the website with the quiz. Try it out.
👉 Bitcoin Mastermind Quiz
🚀 The Goal:🚀 The Goal:
Can you force the site to send you more sats than allowed?
- Can you withdraw more than 10 sats per quiz attempt?
- Can you drain the full quiz wallet? (Currently holds 5,000 sats—go for it!)
- Can you find another exploit that wrecks the system? (Oh no 😨)
🎯 The Reward:🎯 The Reward:
- Take the wallet balance if you manage to force an unauthorized payout.
- 50,000 sats if you successfully drain the wallet.
- Another 50,000 sats if you document your method & suggest a fix.
- Total potential reward: 100,000+ sats!
🛠 Background:🛠 Background:
We want to make these quizzes freely available to anyone who wants to use the plugin—no login, no tracking, no nonsense. But that also means preventing unauthorized payouts is a real challenge. We’ve put in work to lock it down, but now it’s your turn to try and break it.
To limit abuse, there’s a 3-attempt cap per Lightning Address.
The following types of LN addresses should work:
- Alby, for example:
ealvar13@getalby.com - Wallet of Satoshi, for example:
ealvar13@walletofsatoshi.com - CoinOs, for example:
ealvar13@coinos.io
🔗 Source code in use on the website:
👉 GitHub Repo
🏴☠️ How to Participate:🏴☠️ How to Participate:
- Take the quiz and try to exploit it.
- If you find a vulnerability, claim the bounty and message me here or email me the details.
- Even if you don’t hack it, enjoy 10 sats per quiz attempt—feedback is welcome!
Don't pay the bounty via SN, there's a risk that whoever receives it will get 100K CCs! 🤠
haha ok! if anyone hacks it i can pay the bounty to any lightning wallet or on-chain wallet, it doesn't have to be thru SN : )
lol, so true.
It seems I can repeatedly send two requests and get more than 3 times the payout:
Take the invoice from the response and put it into
Ad infinitum...
You can change the amount as well.
There is a check in lightning_address.php line 280.
Why is that not working at all?
Because it's checking the totalSats parameter provided by the client, not the value encoded in the invoice (provided in the first call as amount=10)!
Good catch! Never trust the client.
The getBolt11 function also has an exploitable flaw:
It asks the external (!) Bolt11 server for parameters related to the user-provided address, and honors minSendable in a funny way:
An attacker can use an address that leads to an attacker-controlled Bolt11 resolver, which returns an absurdly high minimum. The logic above will then use that (instead of the amount due)!
That's brutal.
interesting! it doesn't boot your request after 3 tries with the same lightning address?
It seems to rely on the client sending a request to get itself counted:
The client can simply skip this call to get endless calls.
All the logic should be in the server: use a single call to submit the answers, and have the server count the address, generate and pay the invoice in one step. You can't rely on the client following any expected procedure. Hackers will do any call in any order with any parameter to exploit you.
Not when I resend the requests manually (through the Firefox web tools). It accepts the same nonce every time.
It successfully sent the 10 sats, thanks.
I'd argue that in question 4
the fourth answer (and hence, the fifth) is not correct.
You can't (generally) use a hardware wallet to "download a Bitcoin wallet", can you?
I have no clue how to hack anything. I did the quiz though. I like it but it is a bit too easy for an experience Bitcoiner. Is this geared towards newbies?
The quiz is just for fun. it's a demo of a wordpress plugin anyone can use to make their own quizzes and surveys.
but i'm glad you thought it was easy! thanks for commenting
(for some reason the script gets cut off, replacing with a pastebin)
https://privatebin.net/?547ae6f3e91fc84e#DLzWSRRFGh1ypG9D6VZDnLZfGfZ72FsFwLEBbG3t9JKX
The nonce was the same for me as #871344
It's probably drained already :)
you're right
Ha. Only 5000 sats? We challenge everyone to steal thousands of dollars worth in USDT and L-BTC hacking this open source GitHub page.
FYI Folks I think this one is closed! I'll see if we close this out thru the SN UI or I just send them btc direct. But anyone reading this consider it closed please!
deleted by author
You may also need to make sure that the admin cannot withdraw more sats than they own.
hey i think you and @Scroogey got this! I wish you all had taken longer : \
trying to lock this thing down has been a really frustrating experience but ah well. I'm learning.
I'm not sure who got this first or better. If you all want to pass me a btc address or LN address I will for sure send you both sats.
Nice work you all. I will fix the ^%$# thing and then you can try again
Scroogey@coinos.io
Thank you, it was fun! :)
Done! Thanks again for testing I appreciate it. I'm going to fix this up and then you can try again in a couple of weeks : )
Thank you!
Got it mate! I'll send sats today. Didn't mean to worry you with the delay. I appreciate it!
deleted by author
@random_ that LN address isn't working for me. Do you have any others or want to send an on-chain address? Lmk i appreciate your testing.
deleted by author
Sent! You are welcome. When I've revamped some of this I'll post another bounty : )
Did you ever send anything?
👉👈
Not to me, either. 😞
Wack!
Thank you amigo! I appreciate it and will send you sats today : )
@random_
deleted my previous comment because I linked to the wrong line
On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0.
https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261
However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.
https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L277C1-L291C12
There is no check on the remaining number of attempts compared to the handleUserPayout.