Qualifier Challenge - NRFIN_00021

Original Versions

Known Vulnerabilities

  • CWE-190 - Integer Overflow or Wraparound
  • CWE-476 - NULL Pointer Dereference
  • CWE-787 - Out-of-bounds Write
  • CWEs are listed as indicated by the challenge author.


  • TECHx: 3.42
  • ForAllSecure: 2.5
  • Lekkertech: 2.5
  • DeepRed: 2.5
  • CSDS: 2.06
  • FuzzBOMB: 0.79
  • CodeJitsu: 0.63
  • Disekt: 0.59
  • Cyberjujitsu: 0.0
  • Shellphish: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • Cyberjujitsu: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • FuzzBOMB: 100.0% - CB1
  • ForAllSecure: 50.0% - CB1
  • Lekkertech: 50.0% - CB1
  • Shellphish: 50.0% - CB1
  • DeepRed: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Jason Rogers" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)


Double your money with our High Frequency Trading Algo. We unleash the power of pair trading at cyber speed to work the margins and deliver returns.

Feature List

To begin a trading session, provide our Algo with an initial trading deposit. Our Algo will integrate with all standard real-time quote feeds, looking for statistical arbitrage in the historically correlated stocks that you select. Once we've doubled your money, a notification will be sent.


This service has two vulnerabilities.

The first vulnerability is a null pointer dereference due to an assumption that memory has already been allocated to a pointer. Once enough records have been sent to move the service out of learning mode, the updateStockValues function will be called to iterate through the array of purchased stocks and update their current price. If a "Balance" record was never sent, this array will not be initialized yet, causing a null pointer dereference. To patch this vulnerability, all for loops that iterate through the portfolio->stocks array should ensure that the array has been initialized. (CWE-476 Null Pointer Dereference)

The second vulnerability occurs the second time the portfolio->stocks array is enlarged in the getNextFreeEntry function to accommodate more stock purchases. In order to purchase a stock, the pair trading algorithm must receive a quote for two stocks such that their price relative is greater than or less than a standard deviation away from the mean of all price relative computations that have been received over the course of the session. When the portfolio->stock array is enlarged the second time the new size will be less than the old size due to an integer overflow. When the old array is copied into the new array it will go beyond the length of the new array, leading to an out-of-bounds write. To patch this vulnerability the overflow should be detected, and the service should terminate.

Generic class of vulnerability

NULL Pointer Dereference Integer Overflow or Wraparound Out-of-bounds Write

CWE classification

CWE-476: Null Pointer Dereference CWE-787: Out-of-bounds Write CWE-190: Integer Overflow


1) Determine how the service expects the user to interact with the service.

2) Understand how the input provided to the service is used to determine when a stock should be bought or sold.

Curated by Lunge Technology, LLC. Questions or comments? Send us email