Security Wargame - Parathreat

Parity Security is pleased to introduce Parathreat, a security wargame designed to enhance the safety of the Polkadot SDK ecosystem by allowing participants to identify and fix security vulnerabilities in parachains, pallets, and nodes within Polkadot SDK. By playing Parathreat, you’ll get a better understanding of how the Common Security Risks can affect your project, while improving your skills in application security and programming.

Parathreat has two parts: Red Team and Blue Team.

  1. In the first week part, you’ll play in Red Team mode; as an attacker; where your job is to find and use weaknesses in the system. This helps you learn how attackers think and what you need to watch out for. Starting from the second week, the game can be played in Blue Team mode.
  2. In this second week part, are going to be uploaded all the ways the targets can be attacked. Using this, you can see if you thought of the same attacks during the 1st week, and focus is on fixing/preventing those problems. This helps you learn how to defend the system against real threats.

Parity Security encourages everyone interested in making their Polkadot SDK systems stronger and safer to try Parathreat. It’s a great way to test your skills and learn new ones, whether you have basic knowledge with the Substrate framework or already have some experience. To start, clone the repository, read carefully the mission’s instructions and get ready to craft your exploits!

Don’t hesitate to reach us and provide feedback.


That looks interesting. One suggestion, the provided e2e tests is more of integration test rather e2e test.

Ensure you’re running the exploit tests in --release mode (to simulate a closer scenario to reality)

I am not sure why release mode will make any difference but if you really want a closer scenario, I will suggest use Chopsticks.

Chopsticks is able to launch a chain from a chain spec file and then the integration will be lot closer to reality. For example, you cannot just make root origin call directly.

1 Like

Thanks for the feedback! I agree 100%, an E2E framework will be use in the next mission for sure, working on that. For the current mission, the idea is to have a more simplistic environment focused in pallet application layer.

The compiler adds extra checks when a crate is not built in release mode. Those checks mitigate some of the vulnerabilities (i.e. arithmetic overflows). Therefore, to have a more realistic scenario (still not fully real as you mention), the release mode is necessary.

this will be a better way without giving out too much hint

1 Like