RULE BOOK

RULE BOOK

RULE BOOK

General Rules

  1. Use of AI tools of any kind (including autocomplete) is prohibited.

  2. Only one instance of VS Code may be running per competitor/team.

  3. A single browser window/tab may be used exclusively for documentation. Allowed/clarifying items:

    • Explorer access for the Monad chain is permitted.

    • Search engines (e.g., Google) are not permitted.

    • RPC documentation is allowed (example: www.alchemy.com/docs/*).

    • Foundry and Hardhat documentation are allowed (example: https://getfoundry.sh/*).

  4. All security researchers must be physically on-site for the event.

  5. No external contact is permitted except with event organizers; all team communication must be verbal between team members.

  6. Proofs-of-concept (POCs) must be written on the team captain’s computer; POCs may not be copy-pasted or transmitted from another machine.

  7. No state-changing transactions may be executed from any device other than the captain’s computer.

  8. Each team must designate a wallet before the event begins; teams will be airdropped MON tokens to use for gas.

  9. Only unmodified keyboards, mice, external monitors, or hardware wallets are permitted as USB devices, except for the event-designated USB-C drive.

  10. When a team member discovers an exploit, the discovery must be documented (typed) on the captain’s laptop.

  11. If a team hacks all assigned contracts before being called to the stage, team members must remain in the room until summoned.

  12. If a team has not completed all hacks by the deadline, they must cease work immediately when instructed by a referee.


Target Address Distribution

  • Target addresses will be stored on USB-C thumb drives placed in envelopes labeled 1, 2, 3.

  • Teams must open the next envelope only after successfully hacking the prior contract.

  • Team members may plug the USB-C drive into their machines to obtain the address (manual retyping of the address is not required).

Deployer Requirements

  • Each target contract must be deployed from a distinct wallet to avoid cross-contamination of transaction history.

  • Deployed contracts must be verified on the relevant block explorer.

  • Contracts must be deployed at least 30 minutes before the event start, or funds must not be deposited until within 30 minutes of the start time (mitigates risk if an external actor is monitoring).

CTF Scoring & Conduct

  • A contract is considered “hacked” if more than 90% of its TVL (excluding deposits made by participants acting as hackers) has been withdrawn. (Note: Teams do not necessarily have to capture the withdrawn funds themselves; the requirement is that the contract is drained.)

  • Denial-of-service (DoS), griefing, or freezing attacks do not qualify as successful hacks.

  • The team captain’s screen must be shared at all times.

Preloads & Environment

  • Teams may begin with a minimal four-line POC template (for example, an RPC connection snippet).

  • Required API keys may already be present in the environment variables (ENV).