You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on FreeBSD VMM (using Solo5), and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge started in February 2015, and will run until the above address no longer contains the 10 bitcoins it started with, or until we lose interest. Update from March 2018: our donors transferred nearly all the bitcoins to other projects.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. We want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2zCCAsOgAwIBAgIIHPfyRNcB6X0wDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
AwwOQlRDIFBpw7FhdGEgQ0EwHhcNMjAwMjI2MDgxMTU5WhcNMjEwMjI1MDgxMTU5
WjAZMRcwFQYDVQQDDA5CVEMgUGnDsWF0YSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAKSKYzC0TgrSRDBAY4Tf1oMtglwj/pgbMDnXAGIJs+7+HPsJ
kM1YbT4NfBfyQQsLNorb7F4fyYJ0963U9QsIh0w2+HlFbFeBJdu24z5VWez1YXFI
gUAwhsXnoSNESn2aSPHkZNb1h7CTM6MY4APp9xhKFO+0luUJOfQlxiSetlNwufdN
jd+SxThGeSTZVtXmTZomLhvhuvzhQr2xuX1zAyb+zr0eOmU+7asX/wpBnKpsT5zI
gieKsbUKsF72sy7sDDEc7hEz0nNrtnZKnW1HDZ2RIXA8pV9gaH5MaaXtfEUKJrnK
WSCGtL88Ja4boCM5Nkt6De5qw4Vtmu8NfJHIsn62pagzgwh6otHqlBTz0P6MaGYK
/DDWcacldVaiQHk0TcpsRU2eGC2tsjj1Tbe2W/cLBqMwpM2mZzspmL5JCpNUrjD8
4uL987Rsg5SoV/l1ShJViU3Bb5/3OAwVYfdYUrVOgEKKs7i1JPmKGBEdOiGYcWVV
EymBMP7B/XyvhWT5aicQhHI5l5ksr9z40uADtqSNhYYeiBKsuosGggDhQi3JMUJQ
uquFcLomgT3fzqEj78wUwrbUTv4kpn8rqQV8UE2qeul2EdEIHu2k3tBIaJ9AFk59
ktqaN8GxntbYxEgUK2tqMcFzyGL6UU19N7AO6SNkjFl5SOP8lmphtXus2Nx/AgMB
AAGjJzAlMA8GA1UdDwEB/wQFAwMHBAAwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkq
hkiG9w0BAQsFAAOCAgEAANpY/bk3cKQSPYLw4oucRrLnEJ4SgdvpUW9a7uV1Ks/m
aXaKWt4KJALRA0UlAHYqZLiL9byCvFTuVSAS+aledLnTEazuBIe6Cew+cvoT23vj
Dfsm08pxjiiZ0haKEF0kC3NEs5VrnwUSkffkz04BfKb6L/WhxbXU9CYhtE1U4gC4
wrV4XqKRgIhnin4GeqjblYGOEnf3pxYPeUbeB96Kk0qqp7qm0fiSaemer59al9xs
AsxnTVpheMHYpEBA0D1TtJyzOr0CmEx2d+A4AheuvlFQ70arnQAuLnHaByBF1RqC
wkuehOGnAjaFuNHNTwlM1miZQD+uPb2D6wO/N+FcxWqVMp7TWMHdSz0Y01Cv7x/P
RcSDcOu/8jrgaa21uBwdsBpIsBvaEut48ZBQVOTC+OSeANvx8rez9cAgUIx22Dha
BufL97ofli+SXoqzQE+Ukw6+KzPODp4o49H30fcfaU8Z91f956EGLZG7UmwMUZ87
DZJhZVf30LxA8Z5AkVUInEcLAAiVvAiwvYwHczfsMZjn0u2aDibyHtxHQnAnZhzU
8di5V1qNV1T1OCOlfu4tpOyZJZsuPJYm9SfWefUG0wNma431ZmFh7uMoC+wE84vm
qCF+e/Zo3tpMxGvYp309Z1rt86p9Cm8YAChlWqeFcz1SPt4l1dv7KdOKtfwBlTA=
-----END CERTIFICATE-----