Smart Contract CTF Library

A curated index of Solidity and Web3 security challenges. Filter by level, format, and topic. Start solving faster.

Browse CTFs Check your level

Recommended order

  1. 01 Ethernaut fundamentals
  2. 02 Solidity exploit practice
  3. 03 Damn Vulnerable DeFi
  4. 04 Paradigm-level scenarios

Find the right Web3 CTF

7 CTFs shown

Ethernaut

Beginner Browser

Small Solidity security levels from OpenZeppelin. Good for learning one exploit idea at a time.

Start: Fallout, Delegation, Reentrancy

Access control Delegatecall +3 more
Open Ethernaut New tab

Capture the Ether

Beginner Browser Archived but useful

Older, still-useful Ethereum puzzles covering authorization, math, hashes, calls, and Solidity basics.

Start: Token sale, Guess the number, Token whale

Solidity basics Authorization +3 more
Open challenges New tab

QuillCTF

Intermediate Browser

A broad set of smart contract challenges organized around common bug classes and exploit patterns.

Start: Start with the beginner Solidity set

Reentrancy Access control +3 more
Open QuillCTF New tab

Secureum RACE

Intermediate GitHub Archived but useful

Short Solidity and EVM security quizzes. Useful between hands-on CTF sessions.

Start: RACE 1, then the Solidity security rounds

EVM Solidity +3 more
Open RACE New tab

Damn Vulnerable DeFi

Intermediate Foundry

Modern Damn Vulnerable DeFi challenges using Foundry and protocol-level DeFi scenarios.

Start: Unstoppable, Naive Receiver, Truster

DeFi ERC standards +3 more
Open repo New tab

Paradigm CTF

Advanced Local repo Competition archive

Hard smart contract CTF archives with EVM, DeFi, math, and protocol-level puzzles.

Start: Open the 2023 archive and solve a low-point task first

EVM internals DeFi +3 more
Open archive New tab

DeFiHackLabs

Advanced Foundry

Reproduce real DeFi incidents and compare your exploit against a working proof of concept.

Start: Pick one small incident PoC and replay the test

Exploit PoCs Flash loans +3 more
Open labs New tab

Suggested order

Start here if you do not know which challenge to open first.

01

First solves

  • Small contracts
  • One bug at a time
  • Fast feedback
Ethernaut -> Capture the Ether -> QuillCTF basics
02

DeFi practice

  • Token flows
  • Oracle assumptions
  • Protocol accounting
QuillCTF -> Secureum RACE -> Damn Vulnerable DeFi
03

Hard mode

  • Multi-step exploits
  • EVM edge cases
  • Real incident replays
Damn Vulnerable DeFi -> Paradigm CTF -> DeFiHackLabs

Smart contract CTF FAQ

What is a smart contract CTF?

A smart contract CTF is a security challenge where you exploit intentionally vulnerable blockchain contracts. These challenges help developers and auditors practice bugs such as reentrancy, access control failures, oracle manipulation, and broken accounting logic.

What are the best smart contract CTFs for beginners?

Ethernaut and Capture the Ether are good beginner-friendly options because they use smaller challenges that introduce common Ethereum and Solidity security concepts before moving into DeFi complexity.

Which smart contract CTF is best for DeFi security?

Damn Vulnerable DeFi is a strong DeFi-focused practice resource. It covers scenarios involving flash loans, lending, governance, oracles, AMMs, and token mechanics.

Are smart contract CTFs enough to become an auditor?

No. CTFs are useful for exploit practice, but real audits also require code review discipline, threat modeling, protocol understanding, invariant thinking, reporting skills, and familiarity with production codebases.

Should I read CTF writeups while solving?

Use writeups after a serious attempt. Reading too early can make the challenge feel clear without building the debugging and reasoning skills needed for real audits.