The Chrysalis Attack-a-thon

The full article was originally published by Antonio Nardella on Read the full article here.

The IOTA Foundation members and the IOTA ecosystem are eager to see Chrysalis on the mainnet. Now after months of development, testing and auditing by external companies we are confident to be ready for the transition to Chrysalis.

Right before that we are inviting the IOTA community members to the Chrysalis Attack-a-thon!

With the Attack-a-thon we would like to challenge you to try and break different parts of Chrysalis. You will be rewarded for your findings!
Don’t mistake this with the IOTA’s “incentivized testnet” which will be launched after the Coordicide testnet reaches its “Nectar” stage: that is of course still on the roadmap and will happen after the upgrade to the “Nectar” stage of the testnet.

The Chrysalis Attack-a-thon is a security researcher/developer/rustacean oriented challenge. Everyone is invited to join and try to grab a few small prizes. It’s rather intended as a public and fun experience, which you will see is also reflected in our rewards 😉

The Attack-a-thon runs for around 10 days: it starts on the 18th of March 2021 at 2PM UTC and ends with the 28th of March 2021 at 11:59 PM UTC.

The scope of the Attack-a-thon challenge

In the scope of the Chrysalis Attack-a-thon are the following IOTA components:

Categories, rewards and how to participate

There might be a lot of different things that our community might find during their exploration of possible attacks on the Chrysalis network, therefore we have defined categories for the submissions. Every category is connected to one or more rewards.

The rules of engagement are pretty simple:

  • The first to submit a valid entry during the defined time period gets the prize
  • Every issue in the scope counts singularly (e.g. If an injection makes it possible to escalate privileges it counts as two issues)
  • The evaluation committee might count the submission if it is a particular vulnerability outside of the proposed scope although very connected to Chrysalis


Four kind of priorities for the findings were defined:
The priorities are essentially all about cost/benefit ratio. And cost and benefit should be considered as broad terms: cost can be effort, time, money, coordination required, etc; benefit could be monetary, reputational, competitive advantage, etc.

Priority 1

Likelihood: medium/high (an attack can be carried out with little or no advanced resources)
Severity: corrupts/stops the network entirely. Arbitrarily changes the balances of many users.

  • Consensus split of the network (practical attack).
  • Arbitrary account (steal tokens) takeover.
  • Double-spending existing funds or use funds “out of thin air” or Treasury Output.
  • Stopping networks confirmations altogether (Coordinator).
  • Reverting a confirmed transaction.

Priority 2

Likelihood: medium/low (an attack can be carried out under special conditions, with moderate or high difficulty to create)
Severity: compromise the entire network with low likelihood or consistently affect specific actors in the network with moderate resources.

  • Consensus split of the network (theoretical attack).
  • Censoring of arbitrary accounts, preventing confirmations.
  • Get the network to accept Messages that violate established “validation” rules: insufficient PoW, malformed messages, breach dust rules, etc.
  • Eclipse-attack, arbitrarily controlling node’s peering.

Priority 3

Likelihood: medium/low, an attack can be carried out under special conditions, with moderate or high difficulty to create.
Severity: Attacks that affect a limited number of actors in the network.

  • Causing nodes to crash or hang under “average” network load.
  • Cause a node to drop connection to an arbitrary peer.
  • Reducing overall confirmation rate consistently below 50% without holding more than 20% hash-rate.
  • Manipulate single wallet user experience to trick unwanted actions: pay to incorrect address, show bogus confirmation states, expose secret material, hijack migration process.

Priority 4

Likelihood: medium/low
Severity: disrupting end-user usability of the network, availability disruptions, etc.

  • Prevent new nodes from joining the network.
  • Preventing wallets to load Tangle data.
  • Crash individual nodes under hard-to-obtain specific conditions.


What will not be evaluated (although a submission of the issue is still very welcome):

  • Graphical bugs (wrong shape of a box, text not aligned and similar things)
  • Typos (unless they can be used for an attack)
  • Bugs that involve manipulation of the underlying runtime environment without exploiting app-specific bugs (e.g. malware running on the OS, malicious administrator user on the same system, etc.)
  • Getting the nodes out of sync with a lot of spam without crashing the coordinator


Everyone that submits an issue deemed valid by the evaluation committee and is an IOTA Discord community member receives the dedicated Tanglebreaker badge to be recognized by our community.

The Chrysalis Attack-a-thon
Attack-a-thon rewards

Priority 1

IOTA branded Ledger Nano S for the first 10 submissions that qualify as P1
T-Shirt with custom design*
€250 in IOTA Tokens

Priority 2

IOTA branded Ledger Nano for the first 7 submissions that qualify as P2
T-Shirt with custom design*
€150 in IOTA Tokens

Priority 3

IOTA branded Ledger Nano for the first 5 submissions that qualify as P3
T-Shirt with custom design*
€100 in IOTA Tokens

Priority 4

IOTA branded Ledger Nano for the first 3 submissions that qualify as P4
T-Shirt with custom design*
€50 in IOTA Tokens

* by the IOTA Foundation design team

Terms and conditions

  • Prizes cannot be paid out to participants currently residing in countries subject to international sanctions imposed by the UNSC, OFAC and the EU or personally named on a Specially Designated National and Blocked Persons Lists (SDN) published by the aforementioned bodies
  • Excluded from participation are all employees and contractors of IF as well as any person who has already been working professionally on any parts of the Chrysalis code

How to participate

As soon as you find an issue that falls under the categories described above, jump to the relative GitHub repository and submit an Attack-a-thon issue using the pre-defined issue template:

The Chrysalis Attack-a-thon
Attack-a-thon Issue template

The issue has to be structured as follows to be taken in consideration by the evaluation committee.

Description: What component was used (e.g. python binding) and how

Impact: Describe the vulnerability and its potential impact.

Proof of Concept: Give a detailed description of the steps, tools and versions needed to reproduce the issue (proof of concept scripts or screenshots are helpful).

By submitting the issue, the submitter warrants the report and any attachments do not violate the intellectual property rights of any third party, and the submitter grants the IOTA Foundation a non-exclusive, royalty-free, world-wide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.

The evaluation committee

The submitted issues will be verified by IOTA Foundation members for correctness and will reply to the issue on GitHub to confirm or not the validity of the issue and define the category it falls under.

Starting with the 8th of April 2021 the winning participants will be contacted by the Community Manager, Antonio Nardella, with a comment on the submitted issue.
The following verification and information exchange process to get the rewards will require you to publish a public gist, with information shared by e-mail.

We welcome everyone to stop by on Discord in the #attack-a-thon channel and to follow us on Twitter to keep track of all the latest news!

Get real time updates directly on you device, subscribe now.

You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More

Trade IOTA with a free

$100,000 practice account

Cryptoassets are volatile instruments which can fluctuate widely in a very short time frame and, therefore, are not appropriate for all investors. Trading cryptoassets is unregulated and, therefore, is not supervised by any EU regulatory framework. 67% of retail investor accounts lose money when trading CFDs with this provider. You should consider whether you can afford to take the high risk of losing your money.