The Great Heist: $20,000 Incentivized Competition For The New Guardians Feature
Competition Main Information:
- Introducing and battle-testing the Guardians feature
- $20,000 USD prize pool
- Competition starts: 22nd of May
- Competition ends (tentatively): 29th of May
- Divided into 3 categories: Security, Contribution, Creativity
- We create a new wallet, set up an active Guardian, fund it with the security bounty, publish the secret phrase and let you heist
- Runs on the MultiversX public testnet with test funds
At MultiversX, we intend to make blockchain technology more widespread by drastically simplifying user experience and overcoming onboarding hurdles.
Today, it's time to take a new step in that direction with the Guardians feature - our new security layer that offers an additional safeguard for user accounts. Guardians act as trusted co-signers, providing a multi-signature implementation at the protocol level. What this means is that once you guard your account using this new feature, your transactions will only be accepted and processed by the blockchain network if they have both your signature and the signature of the set guardian. The setting of a guardian on your account will be abstracted with an intuitive user interface in the wallet. Same as with the signing of your transactions, you will just have to introduce a valid 2FA code, and the registered guardian will co-sign the transactions.
Going forward, this article will focus on the main aspects of the competition. For full details about the Guardians feature, why it’s important for the ecosystem and various examples on how it works, please refer to: https://docs.multiversx.com/developers/guard-accounts
It is now time to break the Vault
To ensure the security and reliability of this new feature, we are launching an incentivized competition on the MultiversX public testnet: The Great Heist. By participating in this competition, you’ll learn how to use the feature, have fun and help us ensure that Guardians is battle tested through as many scenarios as possible. Moreover, you could be one of the awarded actors in the Great Heist.
We invite security experts, community members and creative participants to submit security findings, tool development, documentation, guides and share a prize pool of $20,000 in EGLD. If you want to participate, please submit your entry (for any of the three Competition Categories) by completing the Registration Form here: https://heist.multiversx.com/
The Great Heist competition
The objective of the heist event is to provide participants with a comprehensive understanding of the benefits of Guardians, identify areas that require more documentation, and assess the level of complexity involved in using this feature. Our final aim is to introduce an easy-to-use and secure version of Guardians on the mainnet, one that has been battle-tested and adapted to what the community really needs. Based on the insights gained from the event, we might make adjustments to the timeline, rules and functionality, to ensure a smooth and effective rollout.
As part of the campaign development, we encourage everyone to familiarize themselves with the available documentation at MultiversX Docs. This provides an opportunity for individuals to explore and assess the accessibility of the necessary information. We highly value any feedback regarding the user experience. You can also contribute by submitting to the “Contribution” track.
Prior to the campaign announcement, a designated account has been funded with the following testnet funds:
- 20 xEGLD;
- 249 wEGLD;
- 20,000,000 MEX;
- 1 EGLDMEXLP (0.5 EGLDMEXLP in wallet and 0.5 EGLDMEXLP staked in the EGLD - MEX farm);
- 1 NFT.
Afterwards, a guardian has been established using the TCS (Trusted Co-Signer) and activated by sending a “GuardAccount” transaction. To engage participants, we have decided to intentionally leak the seed phrase and invite everyone to test their skills in attempting to breach the vault's security. Please note that the seed phrase will be leaked three hours after the announcement.
We encourage all participants to take this time interval to thoroughly familiarize themselves with the provided documentation.
To keep the challenge dynamic, periodically, we will cancel any pending guardianship by initiating a guarded SetGuardian transaction. This action mimics what anyone might naturally do in such a scenario until the funds will be sent to a safe “vault”. By incorporating these periodic changes, we ensure that participants must consistently adapt their strategies to progress in the campaign.
Following a period of seven days of competition, all assets will be transferred to a secure address. This address will be publicly disclosed during the campaign. In the event that this transfer is successfully executed, the Security prize will not be awarded. However, all creative attempts to breach the vault will still be evaluated and remain eligible for the creativity prize. This additional twist adds an element of suspense and challenges participants to think outside the box, emphasizing both the importance of security and the value of innovative solutions.
The Great Heist has three main divisions:
Security - $10,000 USD in EGLD
Improve the security of the Guardians feature by finding security issues or platform vulnerabilities that can be exploited either to steal funds, drain the account or disrupt normal operations.
In the scope:
- MultiversX Wallet;
- MultiversX DeFi Wallet-extension;
- Protocol feature by programmatically interacting with the vault through proxy or directly through the node;
- TCS service.
Not in the scope:
- Availability* of MultiversX Wallet & DeFi Wallet-extension ;
- Devnet or Mainnet MultiversX Wallet & DeFi Wallet-extension ;
- xPortal App;
- Other wallets or dApps;
Valid claims can be made through a well-documented entry in the Registration Form, or well-executed attacks, followed by proper documentation. First come, first served for the same issue.
Security prize distribution:
- 1,000$ in EGLD will be awarded for validated submitted draining vulnerabilities;
- 9,000$ in EGLD will be awarded for validated submitted transfer transactions (be it xEGLD, wEGLD, MEX or NFT) vulnerabilities with respect to the following rules: If multiple different vulnerabilities are submitted, the prize pool will be divided among all the submitters. In the case of a single vulnerability submission, only the first submitter will be awarded the prize.
The submitter MUST prove ownership of the account where the assets were transferred.
*DDOS-ing or other similar attacks on the website will not be rewarded. We’re looking to assess the functionality and security under normal circumstances.
Creativity - $5,000 USD in EGLD
We believe that Guardians is an important addition to our suite of products and services. With your collaboration, we can ensure that this new feature is dependable, secure, and well-suited for our communities' needs. We encourage you to explore the various use cases and possibilities that Guardians opens up and be creative in your approach. Additionally, we will reward the best ideas for "robbing the vault".
Contribution - $5,000 USD in EGLD
- Make useful suggestions;
- Improve existing documentation, write new documentation (from developer, integrator, user point of view), create guides and guidelines;
You will be able to submit your contributions via the Registration Form here: https://heist.multiversx.com/
Items will be ranked based on execution, utility, and originality. So make sure you pick a useful topic, cover it well and in an exciting way. Be aware that trivial topics like “How to set a guardian”, “How to guard an account”, etc, may have already been covered in the documentation. Only the best-executed items will be selected from similar ones.
How to join the campaign:
- Visit heist.multiversx.com and submit your entry using the Registration Form.
- You will be requested to add a description to your submission, enter a MultiversX address (erd1…) to receive the prize (if you are eligible) and a Telegram ID to keep in touch (We will NOT DM)
- Follow these channels for important updates:
- Discord: https://discord.gg/multiversxbuilders
- Telegram: https://t.me/TheGreatHeist
- Twitter: https://twitter.com/MultiversX
Participants who are eligible for rewards will be required to complete a KYC process afterwards.
Timeline & Rewards
The competition starts on the 22nd of May and will last until the 29th of May.
During the competition, several important milestones will be reached:
- Initial Announcement: May 22nd
- Secret Phrase Leak: May 22nd
- Safe Vault Address Announcement: May 24th
- Campaign End: May 29th
- Leaderboard Announcement: June 14th
These milestones mark significant points in the progression of the competition. If you have any questions you can reach out to us via one of the mentioned channels (Discord or Telegram).
Throughout the event, we might need to make several changes, like resetting the pending guardians (by sending a guarded SetGuardian transaction), updating the wallet or resetting the TCS service. This is to be expected while validating the capabilities of a platform under heavy testing conditions.
Submissions will be analyzed and rewards will be distributed by the 14th of June. During this period, it is possible that many of the submitters will be tagged (we will NOT DM) on the channels for further discussions regarding their submitted entries.
The rewards will be distributed in $EGLD tokens, at the 7-day average EGLD/USDT parity.
FAQ
What is “The Great Heist”?
The Great Heist is an incentivized competition that aims to introduce Guardians to our community and assess the security of this soon-to-be-released feature, with the goal of identifying and addressing any potential security issues. Additionally, it is an opportunity for the community to showcase their creativity and explore the various use cases of this new multi-sig feature, thereby enabling us to leverage its benefits to the fullest.
When does it start and when does it end?
The competition begins on the 22nd of May and will end on the 29th of May.
How do I join?
- Go to: heist.multiversx.com
- Submit an entry using the Registration Form: https://form.typeform.com/to/PZe3p8Sl
- Input your robber’s account - can be the same one as your xPortal address, but we recommend using a new one. This will be the address where you should try sending the funds.
- Provide your Telegram ID so that we can tag you on our main Telegram Channel (https://t.me/TheGreatHeist) in the event that you are selected as one of the winners. We will NOT DM you.
- Give us any feedback regarding ways to contact you, problems that you faced while using the feature, or if you want just say hi.
- Don’t forget to submit your entry.
Who can participate? Is KYC needed?
Everyone with a MultiversX account can join the fun and be a part of “The Great Heist” competition. People who are eligible for rewards will need to pass a KYC process before being able to claim them.
In order to comply with regulations related to KYC/AML for such events, the following countries are excluded: Afghanistan, Angola, Azerbaijan, Bosnia and Herzegovina, Botswana, Burundi, Cambodia, Cameroon, Chad, China, Congo, Congo (Democratic Republic), Cuba, Eritrea, Ghana, Guinea, Guinea-Bissau, Haiti, Iran, Iraq, Lao People's Democratic Republic, Liberia, Libya, Madagascar, Mozambique, Nicaragua, North Korea, Pakistan, Somalia, South Sudan, Sri Lanka, Sudan, Syrian Arab Republic, Tajikistan, Trinidad and Tobago, Turkmenistan, Uganda, United States, Uzbekistan, Vanuatu, Virgin Islands (U.S.), Yemen, Zimbabwe
How can I participate in submitting security issues, reporting bugs, and contributing content?
You can submit your findings by completing the Registration Form here:
The valid entries will be made public when the competition has concluded. This is also valid for topics that are not related to the feature itself, but are valid according to the scope of the competition.
The submissions will be judged following these rules:
Security Category:
- Submissions should focus on identifying vulnerabilities, loopholes or potential security risks within the ecosystem.
- Detailed explanations of the security issue should be provided, along with steps to reproduce it (if applicable).
- Clear documentation of the potential impact of the security issue should be included (links to transactions, proof of ownership, speed);
Creativity Category:
- Submissions should showcase unique and innovative ideas, concepts or designs related to the campaign;
- Participants should provide clear explanations or visual representations of their creative contributions;
- Originality and out-of-the box thinking when coming up with ideas for utilizing the feature are encouraged;
- Submissions proposing strategies to engage and connect with communities outside of MultiversX will also be taken into consideration and evaluated;
Contribution Category:
- Submissions in this category should focus on providing valuable additions to the documentation, UX improvement suggestions or any other enhancements;
- Practicality, feasibility and potential impact of the proposed contributions will be appreciated;
- Participants will be encouraged to provide any supporting materials such as documentation, mockups or prototypes.
What is the scope of the security rewards?
Improve the security of MultiversX by finding security issues or platform vulnerabilities that can be exploited either to steal funds or disrupt normal operations.
In scope:
- MultiversX Wallet ;
- MultiversX DeFi Wallet-extension;
- Protocol feature by programmatically interacting with the vault through proxy or directly through the node;
- TCS service.
Not in scope:
- Availability* of MultiversX Wallet & DeFi Wallet-extension ;
- Devnet or Mainnet MultiversX Wallet & DeFi Wallet-extension;
- xPortal app;
- Other wallets or dApps;
Valid claims can be made through well-documented entries in the Registration Form, or well-executed attacks, followed by proper documentation. First come, first served.
*DDOS-ing or other similar attacks on the website will not be rewarded. We’re looking to assess the functionality and security under normal circumstances.
How will the competition start?
The competition will start with an announcement on Twitter, Telegram and Discord inviting everybody to read the documentation for the feature. We will publish the seed phrase of “The Vault” account simulating a leak of it in 3h after the initial announcement.
Before leaking the seed phrase, ”The Vault” will be funded with:
- 20 xEGLD;
- 249 wEGLD;
- 20,000,000 MEX;
- 1 EGLDMEXLP (0.5 EGLDMEXLP in wallet and 0.5 EGLDMEXLP staked in the EGLD - MEX farm);
- 1 NFT.
“The Vault”:
- has an active guardian already set;
- starts guarded;
- will send a guarded “SetGuardian” transaction periodically, simulating the cleanup of pending guardians, which one might naturally do to extend his existing guardian protection, until the funds will be sent to a safe "vault".
Of course, on testnet we try to accelerate everything and allow testing multiple scenarios, as opposed to mainnet where there would be sufficient time for the user to either move his funds to an un-compromised (new) account within the 20 days of the first unauthorized SetGuardian TX, or clean up the pending guardian and gain another 20 days of protection time from that moment onward.
What is the expected duration for the activation of my guardian?
In the context of this campaign, the testnet has been set up to activate the guardian after a period of 4 epochs (equivalent to 8 hours) following the successful submission of the transaction. However, for the mainnet release, there will be an extended activation period of 20 epochs (equivalent to 20 days).
How will the competition end?
The competition will conclude after 7 days, at which point the funds will be transferred to another account. If all assets will be transferred, the security prize will not be awarded.
Within a maximum of 14 days after the closure of the competition, we will announce the winners in each category. Please note that not all applications will be eligible for a prize.
Where do I find documentation?
The full documentation of the Guardians feature can be found here: https://docs.multiversx.com/developers/guard-accounts