pull down to refresh

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)
800 sats \ 27 comments \ @ealvar39 31 Jan bitdevs

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)

Sup Stackers!

I’m offering a bounty to anyone who can break my plugin and force an unauthorized payout. If you succeed, you take whatever funds are in the quiz wallet, plus additional prizes if you document your method and suggest a fix.
Even if you don’t hack it, you still get 10 sats just for taking the quiz! So give it a shot and send me any feedback—either here or via email at bitcoin-mastermind.negligee018@passinbox.com.
Here’s the website with the quiz. Try it out. 👉 Bitcoin Mastermind Quiz

🚀 The Goal:

Can you force the site to send you more sats than allowed?
  • Can you withdraw more than 10 sats per quiz attempt?
  • Can you drain the full quiz wallet? (Currently holds 5,000 sats—go for it!)
  • Can you find another exploit that wrecks the system? (Oh no 😨)

🎯 The Reward:

  • Take the wallet balance if you manage to force an unauthorized payout.
  • 50,000 sats if you successfully drain the wallet.
  • Another 50,000 sats if you document your method & suggest a fix.
  • Total potential reward: 100,000+ sats!

🛠 Background:

We want to make these quizzes freely available to anyone who wants to use the plugin—no login, no tracking, no nonsense. But that also means preventing unauthorized payouts is a real challenge. We’ve put in work to lock it down, but now it’s your turn to try and break it.
To limit abuse, there’s a 3-attempt cap per Lightning Address.
The following types of LN addresses should work:
🔗 Source code in use on the website:
👉 GitHub Repo

🏴‍☠️ How to Participate:

  1. Take the quiz and try to exploit it.
  2. If you find a vulnerability, claim the bounty and message me here or email me the details.
  3. Even if you don’t hack it, enjoy 10 sats per quiz attempt—feedback is welcome!

💀 Hack me if you can! 🏴‍☠️

100,000 sats bounty
write
preview
ealvar39's bounties
72 sats \ 2 replies \ @0xbitcoiner 31 Jan
Don't pay the bounty via SN, there's a risk that whoever receives it will get 100K CCs! 🤠
reply
41 sats \ 0 replies \ @ealvar39 OP 31 Jan
haha ok! if anyone hacks it i can pay the bounty to any lightning wallet or on-chain wallet, it doesn't have to be thru SN : )
reply
10 sats \ 0 replies \ @SimpleStacker 31 Jan
lol, so true.
reply
10 sats \ 2 replies \ @random_ 31 Jan
(for some reason the script gets cut off, replacing with a pastebin)
https://privatebin.net/?547ae6f3e91fc84e#DLzWSRRFGh1ypG9D6VZDnLZfGfZ72FsFwLEBbG3t9JKX
  1. open the networks tab, study the ajax commands
These two were interesting: #871344
  1. right click, 'copy as curl'
  2. paste into https://sqqihao.github.io/trillworks.html
  3. copy into python script
  4. edit as necessary
  5. run
The nonce was the same for me as #871344
reply
10 sats \ 1 reply \ @Scroogey 31 Jan
It's probably drained already :)
{"error":"Alby payment request failed","details":"cURL error 28: Operation timed out after 45003 milliseconds with 0 bytes received"}
reply
0 sats \ 0 replies \ @random_ 31 Jan
you're right
reply
10 sats \ 8 replies \ @Scroogey 31 Jan
It seems I can repeatedly send two requests and get more than 3 times the payout:
POST https://bitcoin-mastermind.com/wp-admin/admin-ajax.php action=getBolt11&email=Scroogey%40stacker.news&amount=10&callerType=user
Take the invoice from the response and put it into
POST https://bitcoin-mastermind.com/wp-admin/admin-ajax.php action=pay_bolt11_invoice&bolt11=LNBC100...&quiz_id=8&lightning_address=Scroogey%40stacker.news&nonce=29e5cc3667&callerType=user&totalSats=10
Ad infinitum...
reply
10 sats \ 4 replies \ @random_ 31 Jan
You can change the amount as well.
reply
10 sats \ 3 replies \ @Scroogey 31 Jan
There is a check in lightning_address.php line 280.
Why is that not working at all?
Because it's checking the totalSats parameter provided by the client, not the value encoded in the invoice (provided in the first call as amount=10)!
reply
10 sats \ 2 replies \ @random_ 31 Jan
Good catch! Never trust the client.
reply
10 sats \ 1 reply \ @Scroogey 31 Jan
The getBolt11 function also has an exploitable flaw:
It asks the external (!) Bolt11 server for parameters related to the user-provided address, and honors minSendable in a funny way:
$minAmount = $lnurlDetails->minSendable; $payAmount = ($amount * 1000 > $minAmount) ? $amount * 1000 : $minAmount;
An attacker can use an address that leads to an attacker-controlled Bolt11 resolver, which returns an absurdly high minimum. The logic above will then use that (instead of the amount due)!
reply
0 sats \ 0 replies \ @random_ 31 Jan
That's brutal.
reply on another page
0 sats \ 2 replies \ @ealvar39 OP 31 Jan
interesting! it doesn't boot your request after 3 tries with the same lightning address?
reply
20 sats \ 0 replies \ @Scroogey 31 Jan
It seems to rely on the client sending a request to get itself counted:
The client can simply skip this call to get endless calls.
All the logic should be in the server: use a single call to submit the answers, and have the server count the address, generate and pay the invoice in one step. You can't rely on the client following any expected procedure. Hackers will do any call in any order with any parameter to exploit you.
reply
10 sats \ 0 replies \ @Scroogey 31 Jan
Not when I resend the requests manually (through the Firefox web tools). It accepts the same nonce every time.
reply
20 sats \ 0 replies \ @Scroogey 31 Jan
It successfully sent the 10 sats, thanks.
I'd argue that in question 4
What devices can I use to download a Bitcoin wallet?
the fourth answer (and hence, the fifth) is not correct.
You can't (generally) use a hardware wallet to "download a Bitcoin wallet", can you?
reply
10 sats \ 1 reply \ @grayruby 31 Jan
I have no clue how to hack anything. I did the quiz though. I like it but it is a bit too easy for an experience Bitcoiner. Is this geared towards newbies?
reply
40 sats \ 0 replies \ @ealvar39 OP 31 Jan
The quiz is just for fun. it's a demo of a wordpress plugin anyone can use to make their own quizzes and surveys.
but i'm glad you thought it was easy! thanks for commenting
reply
0 sats \ 0 replies \ @SwapMarket 31 Jan
Ha. Only 5000 sats? We challenge everyone to steal thousands of dollars worth in USDT and L-BTC hacking this open source GitHub page.
reply
0 sats \ 0 replies \ @ealvar39 OP 31 Jan
FYI Folks I think this one is closed! I'll see if we close this out thru the SN UI or I just send them btc direct. But anyone reading this consider it closed please!
reply
10 sats \ 6 replies \ @random_ 31 Jan
deleted by author
reply
10 sats \ 5 replies \ @random_ 31 Jan
You may also need to make sure that the admin cannot withdraw more sats than they own.
reply
31 sats \ 3 replies \ @ealvar39 OP 31 Jan
hey i think you and @Scroogey got this! I wish you all had taken longer : \
trying to lock this thing down has been a really frustrating experience but ah well. I'm learning.
I'm not sure who got this first or better. If you all want to pass me a btc address or LN address I will for sure send you both sats.
Nice work you all. I will fix the ^%$# thing and then you can try again
reply
0 sats \ 1 reply \ @random_ 31 Jan
I'm not sure who got this first or better.
@Scroogey defintely did a better job of explaining. He also identified some other critical bugs.
I was mostly gunning for the draining reward. 🤑
akinshaver851@minibits.cash
Thanks for issuing the challenge. I had a lot of fun.
reply
0 sats \ 0 replies \ @random_ 5h
Did you ever send anything?
👉👈
reply
0 sats \ 0 replies \ @Scroogey 31 Jan
Scroogey@coinos.io Thank you, it was fun! :)
reply
10 sats \ 0 replies \ @random_ 31 Jan
deleted my previous comment because I linked to the wrong line
On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0. https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261
However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.
https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L277C1-L291C12
There is no check on the remaining number of attempts compared to the handleUserPayout.
reply