508 words
3 minutes
Defi CTF Challenges – Web3 Security Practice
2025-09-20
CTF Challenges
CTF-Challenges
/
CTF
/
Security
/
Defi-CTF-Challenges
/
level-up
/
auditing
/
Protocol

Defi CTF Challenges – Web3 Security Practice#

Welcome to TheSandF Defi CTF Challenges, where Web3 security meets superhero showdowns! πŸ¦Έβ€β™‚οΈβœ¨ Audit vulnerable Solidity contracts, uncover bugs, and level up your smart contract auditing skills. Created By Hans Friese.

Full credit to Hans Friese, co-founder of Cyfrin, a leading blockchain security firm.

DeFiHub: Decentralized Finance Protocol#

DeFiHub is a comprehensive DeFi protocol combining governance, liquidity provision, and token streaming into a unified ecosystem. It provides essential financial services with simplicity, efficiency, and security at its core.

Protocol Overview#

DeFiHub empowers users through three core pillars:

  1. Governance Participation – Vote on protocol upgrades and parameters.
  2. Liquidity Provision – Supply assets to earn rewards and maintain ecosystem health.
  3. Structured Token Distribution – Stream tokens transparently and securely.

The protocol aims to create sustainable value for all participants while maintaining security and transparency.

Defi CTF Challenges: Structure & Scope#

β”œβ”€β”€ src/
|   └── ctf-solutions/
|       └── Defi-CTF-Challenges/
|           β”œβ”€β”€ GovernanceTokenTest.sol
|           β”œβ”€β”€ LiquidityPoolTest.sol
|           └── StableCoinTest.sol
β”œβ”€β”€ test/
|   └── ctf-solutions/
|       └── Defi-CTF-Challenges/
|           β”œβ”€β”€ GovernanceTokenTest.t.sol
|           β”œβ”€β”€ LiquidityPoolTest.t.sol
|           └── StableCoinTest.t.sol

Known Issues#

StableCoin.sol – mint function

Currently, any address can mint tokens for any other address:

function mint(address to, uint256 amount) external {
    _mint(to, amount);
    emit TokensMinted(to, amount);
}

Impact: Critical – unrestricted minting can inflate the token supply and compromise the protocol.

Why Participate in Defi CTF Challenges?#

Blind Audit Encouragement#

Contracts are anonymized educational challenges, simulating real-world audits (like Code4rena or Sherlock) to strengthen your independent auditing skills.

Credit & Collaboration#

Acknowledging Hans Friese honors the original creator and fosters potential partnerships. Your contributions are recognized in the community.

Community Growth#

Submit findings via GitHub or X (@THE_SANDF) to get featured and collaborate with other Web3 defenders.

Scalable & Educational#

Start with anonymized contracts and expand to custom challenges, keeping learning fresh while avoiding spoilers.

Rewards for Participants#

Even without monetary incentives, your contributions are valuable:

  • Recognition: Featured on thesandf.xyz HAll of Heroes and X shoutouts.
  • Community Perks: Early access to case studies, badges, and beta audit program invites.
  • Portfolio Value: Strong reports enhance your Web3 job prospects.

How to Participate#

1. Set Up Your Environment#

Terminal window
git clone https://github.com/thesandf/thesandf.xyz.git
cd thesandf.xyz
forge test -vvv

2. Audit the Contract#

Perform a blind audit:

  • Analyze: Identify vulnerabilities like reentrancy, unprotected withdrawals, or overflows.
  • Exploit: Write a Foundry test (.t.sol) demonstrating the bug.
  • Fix: Propose secure alternatives using best practices (e.g., Checks-Effects-Interactions).
  • Tools: Foundry, Slither, or manual review.

3. Write Your Audit Report#

Follow this Markdown template:

### [S-#] TITLE


**Description:**


**Impact:**


**Proof of Concept:**


**Recommended Mitigation:**

Example Severity: Critical

Example Mitigation:

function withdraw() external nonReentrant { ... }

4. Submit Your Report#

  • GitHub Issues: Open an issue in thesandf.xyz using the audit template.
  • GitHub Discussions: Post in the β€œDefi CTF Challenges” category for feedback.
  • X (@THE_SANDF): Share PoC snippets: "Busted a reentrancy bug in Defi CTF! πŸ•·οΈ Check my PoC: [link] #Web3Security"

Rules: Conduct blind audits – do not reference solved external issues.

Tips for Success#

  • Begin with medium/low severity bugs if new to auditing.
  • Use Foundry for efficient testing.
  • Never deploy vulnerable contracts to mainnet.
  • Need guidance? Start a GitHub Discussion or DM @THE_SANDF on X.

Ready to Battle Bugs?#

Audit contracts in Defi CTF Challenges (full credit to Hans Friese), submit reports via GitHub, or tag @THE_SANDF on X. Let’s secure the Web3 multiverse together!

πŸ—οΈ Start the Challenge | πŸ’¬ Discuss | Follow @THE_SANDF

Hands-on with DeFiHackLabs - Practice Real DeFi Exploits Safely πŸ—οΈ
Black Widow and the Red Room Vault - All-in-One Access Control
© 2025 THE SANDF. All Rights Reserved. Powered by Astro & Fuwari