You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on FreeBSD VMM (using Solo5), and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge started in February 2015, and will run until the above address no longer contains the 10 bitcoins it started with, or until we lose interest. In 2018 we will likely reuse most bitcoins for other projects.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. We want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2zCCAsOgAwIBAgIIeOvpH2LqQvwwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
AwwOQlRDIFBpw7FhdGEgQ0EwHhcNMTgwMTE3MjI0NDE3WhcNMTkwMTE3MjI0NDE3
WjAZMRcwFQYDVQQDDA5CVEMgUGnDsWF0YSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAMYNn44ZWQQo0XJwYr7PKHjKWrDpT8G1R0MQg48z8rA4aa85
c3RAGSUeQr21P5F+CmdOG7XyasP4gPtp5lR7Rpfgbps+u/My8yLhpzX1ZVukxQKX
wd9fKKdBlS/EiyelgjXWTGfuyF0ct3Aqxe2OlX3HOiGtfCfoRiTgNWUSkyKUc2sL
nZCdOB13kZPGfyt4YRJMgnG9gf/c4ZJldkprODXrRTICD6Hm2jSK5Fq7FzU5bZ5d
XlOEZReEa/HTPj+gldtTDp7rKLw2OyAo0TKOMOfjz9P6sICDA1BENArA99Pcwaki
joCyT7CpqvhgHgNZnw1K7rDtuuh22PoNL6sGz0vN+hiOpzyjbxoH5+QHkJeVSYiz
FjAZ8pRnJHSSmUVMg3zclHKUbLZAAOwNCx6dnxc4pjVsV6EX8PB7ZEvRVo7c3QjO
lb68aQhqFmmrCDtPTCcr9jPhAc4lIMXwNXQE+U6/FNPtom7YlunyTZ+gJwtsbhmp
+lmlnRp/VzmFK5JWeNN9J6BFD1cD9A5nltY8yepqxIe+ebcieFAcY75VP7Z72Xy9
XzHvlwcGWoc2mCYAuu9nSgBqVt+oQx6el3DdTGadP0XndxDQ3yXeRR0K5+G4nI3Q
iS9f8z1v3B1hlCWNXoDoQ/pNKm0uZJCuEU4wy6kVKn3oCfWron89uGibIWWFAgMB
AAGjJzAlMBIGA1UdEwEB/wQIMAYBAf8CAQEwDwYDVR0PAQH/BAUDAwcEADANBgkq
hkiG9w0BAQsFAAOCAgEApfwV34wUDF916aJcgV0rcPfju2jmcYxtPy7KLMM7HijU
o55GpkIS2SCJtM79xuPxjVVwCZ5k6Sjm1tcDlVjtd8rB3tvFtYhBUDuplJz+uXN6
DA+wjdgDZ6iqg01NI0HKwOwZ9TVfZf1vC7lD02tFqSoeg7YAsnyK/VHrqlbmFaUN
6AIetcxKy0bWjP0X68Bq0Wc804pF7kk4lyzNQ5LGKqKjSAe3AzxHkRl4dDeYyQIS
zkoeDcw410KjtQRxpT+9Jh4sdtlwzbY+mU3NFQ3NYIG8dZDL7YoOETEEpeDwSNZu
H14eSA7MPVlg/8tf0UIStKGTKnw8hN+D7JjN65UQhM3fiqyLUR8qpXQOZ4Aov66j
Kj+RZ47G0JhU922o/PyTzlzYHSGjzj9+ZhvVh/fMJgXjuogXg/7/CSIlcT1+PjwA
VRspBzgd7x1b4lfHPF4nxnZn44vsZHgPQoLA+ERUT5MvRbBknkzm1MLpkLC3DxxW
muKo7NdSXck8kbgtFwebxN4v+jxFWFyAEA+JvtKuhCmCOylIVkCTZnWhAkiTKzTU
+cVMF6Oezf6zzp2A8PHqVg+vGCsn9oxHqqCa35YVBlNXnLc2GRlcngDNxuJCggAN
NCRyn61AAhK14Z5+ObSRSjMHf0QdknP/aYvgHfMrUP/CeFQSTyXfpI/zJnBh56w=
-----END CERTIFICATE-----