MPC security bug hunt challenge

Note: the challenge is closed


MPC software frameworks, such as FRESCO, play a key role to advance adoption of multi-party computation. To contribute to the necessary security and trust, the SODA project organizes a security bug hunt challenge in collaboration with the FRESCO team. This serves the goal to further mature the framework and use in production environments.


You are invited to participate in our SODA challenge: find software bugs that negatively affect MPC security within the FRESCO framework.

Bugs may be implementation or configuration errors that enable or leverage for example:

  • information leakage
  • corruption of the computation
  • networking- and protocol-related errors
  • timing attacks
  • etc.

In scope is the FRESCO Github master branch. Of particular interest are features recently added to the framework and logical errors in protocol implementations. Demo apps and (unit) tests are excluded from the challenge, but we happily accept regular bug reports for them. The demo apps may provide a good start to become familiar with the framework.

The challenge will be open from 15 February 2019 until 15 September 2019.


Prizes are available to submitters who are first to report a bug in scope of the challenge. The prize consists of a digital gift card (Amazon, etc.) worth EUR 150 (or equivalent). In total 15 prizes are available.

To be eligible email [submission period closed] with your security bug report. Please include relevant details.

Winning submissions will be shared on this website as the challenge progresses. Winners may choose to have their name listed or not. Results may also appear in other SODA project communications.


  • FRESCO maintainers determine if a bug report qualifies for the challenge.
  • Employees of SODA consortium members are excluded from participation.
  • The SODA consortium at its discretion may decide on challenge matters.


No qualifying submissions have been received.

challenge contact: [submission period closed] (not for submissions) – last update: 30 September 2019