Hack Monty - Postmortem

The Hack Monty event was a successful challenge where participants attempted to exploit the Monty Python sandbox, resulting in nearly 1.5 million POST requests and 65 bounty submissions. The event highlighted a critical vulnerability, quickly exploited by Owen Kwan from Veria Labs, who used remote code execution to extract a secret environment variable, earning a $5,000 bounty. Another participant, Stanislav Fort from AISLE, identified a weakness in Monty's virtual filesystem, which was acknowledged with a $300 bounty. The vulnerability stemmed from the combination of unsafe Rust code and a flawed garbage collector (GC) implementation, which allowed for remote code execution. Following these discoveries, the Monty team patched the vulnerabilities, reinforcing Monty's security, and plans to refine the sandbox further before launching Hack Monty 2. The event underscored the importance of scrutiny in unsafe code, while also demonstrating Monty's robust design, which largely withstood extensive testing and attacks.