You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on FreeBSD VMM (using Solo5), and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge started in February 2015, and will run until the above address no longer contains the 10 bitcoins it started with, or until we lose interest. Update from March 2018: our donors transferred nearly all the bitcoins to other projects.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. We want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE3DCCAsSgAwIBAgIJAKEJQlBiTb0pMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMMDkJUQyBQacOxYXRhIENBMB4XDTIwMDkyMjA4NDUxOFoXDTIxMDkyMjA4NDUx
OFowGTEXMBUGA1UEAwwOQlRDIFBpw7FhdGEgQ0EwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC+SFdQtDJu1i2tTbvJx29sp4WKER4y7dI7ijCOAvdDH1sR
0Wh9ZbqC5plTbKfksYN1ugoOfoAficZEqe/kFvxfQ2GnHYxmdA4HDgMWosYvBuu+
+gORQLACqLK/ezhkjcsWMSVnefxudtEvcNs0kA6uMafh2Vqr3NO5q3mza003Y2Vn
WRCgcCyDg8xV7yrSiQsqJ9fjRp4TBW3H4M3nnCDyfSN/XZzUvstQOBLUmf6ErbnR
Tjx6KZemCTJEdXrGDMgOderuKOaGunX4FTChxnN2UpIk+Lur38KFPgyixHTYtOCV
4D0MNro6nEf17Ut6mgP9NAnQM66BdfW/GsbhW95AtzHrNjGtAegvvujiBEGiiBCV
9k3w0q32Rhr+5o3PX0i3wlumMkoZpHNEEK+q7fivfvuhPc9kyLhb5MQM5ZSsp5ev
LBt1zseGJh/GNkimYTkhRgKJh2apfUgbKz6mXWUhBb0zJAhk7a5USo0d2CnwFram
rXWdGDpD9tu0n+7s4UxgAjfVPoBo50QL7v4VfGubDt6N3gQ74wa2ToWhYHT15ggD
4rT2Yhvi9kTY0rD/00sdZls3S4zNLdHLZoMsFdNQYkmp3W94DeajWPmT7oaqwILC
MNlayS51y8nksXqja8+yKT2b8LUFGvB2LkYM991lSyVbvGuv3xd1f5FGeaskxQID
AQABoycwJTAPBgNVHQ8BAf8EBQMDBwQAMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJ
KoZIhvcNAQELBQADggIBAF1g8XfvlJ8QqBsBBa4scPP2I2HRYfREwnzJf2EWOedQ
q7+F/0RlFGjomr5IcM3d9niaKw/wsYtiWcFOJhcRyo3avqPnhFCGl1I8iWR08jPq
ZOxQpv1sje9Fmh83ne14UjOed894SHhRgpsjLv32aVSVds1zbRIgnrcxviTUkgjX
0s7h61ndvIDijJWJZGTbWTyw3dZIl66IduSRtpNQ8rRe0jqjxt6NaS2sOl/TJCge
U67BzhmBAcdTpL5lM38kWBjB3kOc9Ng0600/wg6JKHBokQ0qfdbK+DwKzx0rFDti
XwAjRZ4O51urCfTQZOlYMrX0jGuMebb1Fayo0m/lVtyTnC9SupGhJ5Q8cl8Q7rob
edq8XHCl/OxLawInsheCxBm1JqKjXFVFRrYjKTG1/IatA1gh8cb9R9TYxp5zsPnI
8h6JPtSOKgCMUnEX903+yXRCZzs3+15YYrqP5OVO60lSpMXhRyP2jqx4wWb5zHKL
8eNwQAyEM7PP1TY60wDQL+bBWwtWIvwewSA19YE6eMylVKEu3uOfyFElaSMQwAZh
hfIjUekIFCVAkTwbnTtPnOojXaOzn2riOzkAjWp4N9Uuw7kTns3ipxm5bOouELTy
dsgPQbCIXH5dF5v5TCaaEEgcUnnEkhNILGRb8htjWkET+y8ys/I71Qt8Roebq6Ch
-----END CERTIFICATE-----