I. INTRODUCTION

Welcome to ONLYPWNER, a platform focused on the security aspects of Ethereum and EVM smart contracts!

As the adoption of blockchain technology, particularly EVM-based chains, continues to grow, so does the importance of ensuring its security. ONLYPWNER provides a series of challenges, each tailored to demonstrate a specific vulnerability or security concept within the realm of smart contracts. Designed for users ranging from novices to experts, it offers a structured approach to understanding and uncovering potential vulnerabilities within smart contracts.

Our primary aim is to provide a comprehensive learning environment for individuals interested in security concepts. By facilitating hands-on experience with real-world challenges, ONLYPWNER helps users develop the skills needed to identify vulnerabilities and mitigate exploits.

I.I WHY SECURITY MATTERS

In Q1 2023 alone, over $320 million has been lost to exploits, with no signs of slowing down. Even fundamental and reputable DeFi protocols, such as Compound and Curve Finance, could not escape the wrath of hackers. Rekt lists over 70 exploits with over $10 million in funds lost. The cold hard truth is that the level of security in the blockchain space is not nearly where it needs to be for mass adoption.

On the bright side, there are many talented security researchers working to improve this issue, as well as a growing scene of audit and bug bounty platforms open for anyone to participate in. Here, ONLYPWNER aims to provide you with an entry point into this domain, by helping you to develop, refine, and test your skills in a safe environment.

I.II COMMUNITY

If you are looking to chat about these topics and get involved in the community, the ONLYWNER Discord server is the right place for you. Chat about all things related to Ethereum Virtual Machine (EVM) security, find discussions ranging from smart contract vulnerabilities, security best practices, latest tools and techniques, to CTF challenges and more. Join us by clicking this link.

II. CHALLENGES

Challenges are the core feature of ONLYPWNER. A challenge is like a puzzle that needs to be solved. Each is designed to be exploitable in a specific way, and your goal is to find the vulnerability and abuse it like a real-world attacker would. The exact impact is specific to each challenge. For some, you may be able to steal funds, for others you may be able to take over control of the contract. But the general concept is always the same: find the vulnerability and exploit it.

II.I DIFFICULTIES

The challenges are designed to be accessible to a wide range of users, from beginners to experts. There are five levels of difficulties. D1 challenges are intended for beginners who are just getting started, without any prior knowledge of security concepts and vulnerabilities, while D5 challenges are designed for experts who have already accumulated an in-depth understanding of the inner workings of the EVM and smart contracts.

II.II PREREQUISITES

To participate in and solve challenges, you will only need a way to interact with deployed smart contracts on a EVM chain over RPC. You are completely free to choose your preferred method. Some popular options include:

• - Forge scripts (recommended)
• - Hardhat, Web3JS or EthersJS for JavaScript
• - web3.py or Brownie for Python
• - A web-based IDE like Remix
• - For the easier challenges, a generic smart contract UI like ETH95

II.III SOLVING A CHALLENGE

After you have navigated to a challenge page, you will see a description setting the scene, as well as a winning condition you need to fulfill in order to solve the challenge. For example, the vault is out of funds means you have to drain the Vault contract of its assets.

Below the description, you will find the challenge source code. The src directory contains the logic of the contracts that you have to exploit. The script directory contains two scripts that ONLYPWNER uses to set up and check the challenge for completion:

• - Deploy.sol is used to deploy the challenge contracts to the chain.
• - IsSolved.sol is used to check if the challenge has been solved.

In most cases, you will not need to view these two scripts. However, in certain situations, they can be helpful in order to understand the exact setup or winning condition of a challenge.

Once your are ready to get started, clicking the LAUNCH button will create an environment for you where the challenge contracts are deployed. The area below the button displays your RPC endpoint for this challenge as well as the address of the deployed contracts. A USER keypair is also generated, which you are advised to use, as some challenges might set up this addresses with special permissions or funds.

You are ready to go now! Send your transactions to the RPC endpoint (with a gas price of 0!) and try to solve the challenge. If you think you have solved the challenge, you can check the status at any time by clicking the CHECK button.

III. LEADERBOARD

A touch of competition never hurts! The leaderboard keeps track of the top performers on ONLYPWNER. For each listed user, you can see their username, the number of challenges they have solved, their total score, and a breakdown of the number of challenges solved per difficulty. If you want to see how you stack up against the competition, make sure to create an account and log in before solving challenges!

III.I SCORING

Each challenge has a score associated with it that solely depends on its difficulty. The score of a challenge is the difficulty level squared. For example, a D3 challenge is worth 9 points, while a D5 challenge is worth 25 points. The total score of a user is the sum of the scores of all challenges they have solved. The points for a given challenge are only awarded once, when the challenge is solved for the first time.

IV. FAQ

Q: Is it safe to interact with the challenges? Can I lose funds or get hacked?
A: The challenges are safe to interact with, as they run on a private chain. However, you should never use your mainnet keypairs. Instead, use the USER keypairs generated by ONLYPWNER.

Q: Do I need to create an account to solve challenges?
A: No, you can solve challenges without an account. However, if you want to track your progress and compete on the leaderboard, you will need to create an account and log in.

Q: I have a cool idea for a new challenge. Can I get it featured on the site?
A: Absolutely! Head over to the Challenges repo and submit a pull request.

V. EXTERNAL RESOURCES

Bug Bounty platforms

• - Hats Finance
• - Immunefi

Competitive auditing platforms

• - Code4rena
• - Codehawks
• - Hats Finance
• - Sherlock

Courses and Guides

• - Learn Solidity, Blockchain Development, & Smart Contracts by Patrick Collins

Posts and Articles

• - Comprehensive list of known attack vectors by SigmaPrime