The Hackathon
For those unfamiliar, we run a hackathon at nearly every Bitcoin++ conference. This time around (Exploits Edition) we split things into two tracks: our classic hackathon track where teams build projects (with bonus points for anything security or exploit themed), and a brand new bug bounty track where the objective was simple: find real bugs in real, open-source Bitcoin software.
We were nervous about this one. We had no idea if people would actually find meaningful bugs in 22 hours. By the end of the hackathon, 10 real, meaningful bugs were found in open-source Bitcoin projects. Ten. In a single day.
22 hours, ~60 participants, 21 projects submitted, 10 meaningful bugs found.
Projects
There were many impressive projects, but here’s few standouts:
MineExploit won first overall. Think Metasploit, but purpose-built for Bitcoin mining tooling. The team didn’t just demo it either. They ran it against several codebases and turned up three bugs in real StratumV2 repos.
LocalProbe won second place, a project that demonstrated how Firefox can be used to fingerprint open ports on a machine. 0xB10C showed that simply navigating to a malicious website could allow an attacker to spam a Bitcoin node by firing HTTP requests at its open ports. On stage, he had the audience DDoS his node, evicting other peers. Nasty stuff, and exactly the kind of research this hackathon was designed to surface.
Another team used fuzzing techniques to go after Alpen Labs’ codebase and found a critical vulnerability that a professional security auditor had missed just three weeks earlier. Read that again. A team at a 22-hour hackathon, fuzzing on the fly, caught something that a paid audit didn’t. That alone should make you think about how much untapped value there is in getting more eyes on Bitcoin infrastructure.
Check out all the projects here.
Conclusion
Here’s the thing we keep coming back to: this hackathon produced tangible, lasting improvements to Bitcoin’s security infrastructure in under 24 hours. Critical bugs found, new offensive security tooling built, and novel attack vectors documented. If you’re an organization that funds Bitcoin development through grants, we’d encourage you to look at what a single hackathon can produce and compare that to what a typical grant cycle yields. The return on investment here is hard to ignore.
We’re already thinking about how to level up the bug bounty format for next time. Giving participants more time to study target projects ahead of the event, working more closely with specific projects to provide better scoping, and generally adding more structure to make the bounty track even more productive. If the first attempt is any indication, this format has serious legs.