You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on FreeBSD VMM (using Solo5), and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge started in February 2015, and will run until the above address no longer contains the 10 bitcoins it started with, or until we lose interest. Update from March 2018: our donors transferred nearly all the bitcoins to other projects.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. We want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2zCCAsOgAwIBAgIIKdfuhpq3fYYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
AwwOQlRDIFBpw7FhdGEgQ0EwHhcNMTkwNDE1MjAzNzAzWhcNMjAwNDE0MjAzNzAz
WjAZMRcwFQYDVQQDDA5CVEMgUGnDsWF0YSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAMPrKy7ASZ+AxlesSywZaJQ3PQTlRQ0E0W5dSA0mWUpj3tgg
88XEtyKzG4TpxdinrO8U8HT0zePgrhAavWAKaAfqKa4b2uo8Nng77ZybPGabiV29
5cSebDL3h3JMBNMqHNyrgX2mxuRtKv9fZfyXoR6RM/q0BnkUkLGVhTE2Y1tanr5M
OUqTDKnPQ4rHlNbUimbmMxrnjp8+E7XZ5afPJsaLG5pUlb6WUi/553uG02cCfCNf
D4FvvgClZqp7TKXXIyJXFweaf0rNigeNUa8ESJ8SOcYI94UeNB95n2TPhnGSlkLT
XcpjLaknevndLnKTAC/RPryOk0tiyHCdosBK5Jhxggr4V7wNtpnO8ABwTtfgOENZ
HMOY5G9KuQrZyDoAa/8KLnEYctt9anYeNk/4pCc8T4KoP5mbFNVKQ/FLhALWxKum
eZHyh1bEcRaNQwhrVB/YP5ftVgKHqtTykTFb48X90O1GQB75lJG0X1U9y0Atwmxu
4XNqwEzqfz5+PyPsIc5ukNgAhjeAkDGTR+GlF4F4ssiuEBCv/SBydbPg793R5aAU
0py7QLUPZXODa8FQGBt9S/d2kju/ZRlRepaZpmMoDyN6hmoza7l32SgZIgMg+cvB
yfr9NCBtjolzFCGAgNSYTf6FV1Nh1ux+OqNLKaxP8SsUn8y2E9RQJ1lKN827AgMB
AAGjJzAlMBIGA1UdEwEB/wQIMAYBAf8CAQEwDwYDVR0PAQH/BAUDAwcEADANBgkq
hkiG9w0BAQsFAAOCAgEAhKvZ9T0OcnftazJGjclT9ko74vmlQDEYnO+QpjH39O2j
T8YeEUAM8PSDJlIJdinuq7QKfCGU06cby8RX+u35qh9XArKHUtRGkB1Y7qM0p/or
GWBa3TWPlZTwTkI4DbtMZF/9BNPwVdD6I+eS32NQmWmQ8y3nhlcFEJy8c9oBHMMb
rwl6E8woPeHK2CtORjUM5JVgaUPoGh72KLo9XXQYWGQXAO+A629Qehk/aWYZJnQD
XhpxVVMDApd3w7FL4P8ulJ1xImDdt7e9ddwcL7MlbASYVNJ3jcUWnKjT3xIn0pEZ
yQTvByrDJtI+ABqrSRbMohLEDxVTn+OFdsjk7qjnoj++8ESh8kQjuIbGjiQiXISt
2k611TclyThzYWlROm7iunBAwrZqdEIkoNfChUZGl518yPyvokZV1wYy5GP6ylnN
xieXuBGgGfwdZHqIh8RlM1Hfey/qtMqgr0h/RbtjLbVqFrmB+J/LD0ftOpfGiSSN
I9dsa1hyNhOabPP7BqPv9PM9XAx6XYe1z8xTaVwf3tXq07nJwaYs7tUL+i/JgCCV
JRylJPxqtB77cmxu1RJlncN60CbfEV2iR8JZA6aX2NCjntm6uJlMxwDckbjgZKWc
AEyebeuojgryRqW0O+/Ex1cP2kOu2Rf6VplfTGaJKdpzc3iFiqHOdFLZgFo+jhc=
-----END CERTIFICATE-----