CriticalIntermediate
The recursive split
2016 DAO-style recursive withdrawal. An attacker exploited a reentrancy flaw to drain a public investment fund before the balance was zeroed.
Historic impact · 3.6M ETHOpen lab →
▦ The range for Web3 security
The range where Web3 auditors are forged.
Train on real exploits. Break realistic systems. Build a reputation that protocols trust — from complete beginner to Principal Researcher.
Isolated sandbox. No real chain. No real funds. No setup required.
Live target state Healthy
Vault balance100.0 ETH
Attacker balance0.0 ETH
Users at risk25
Intermediate
7hands-on labs
150xPuzzles
$1.3Bin real exploits recreated
5-stageaudit workflow
→ The loop
Not capture-the-flag. The actual audit workflow.
Anyone can hide a flag in a contract. 0xRange trains the full loop a working researcher runs — exploit, explain, and write the finding that gets a protocol to pay attention.
01
Break it
Exploit a faithful recreation of a real vulnerability on an isolated testnet. Watch the target’s balance and storage flip live as the attack lands.
02
Understand it
A side-by-side post-mortem puts the vulnerable code next to the patched version, so you see exactly what the one-line fix changes.
03
Write the finding
Turn the exploit into a structured audit report — severity, impact, PoC, remediation. This is the differentiator: real auditor output, not a flag.
the moat04
Earn your tier
Every solve banks XP up the hex ladder, 0x00 → 0xFF, and lands on a public profile that recruiters and protocols can verify.
◇ The ladder
A career ladder measured in bytes.
Seven tiers from 0x00 to 0xFF. XP from labs, 0xPuzzles and quizzes all climb the same ramp — and from 0x9F Auditor up, you can earn a verifiable certificate.
0x00Newcomer0 XP
0x1FScout150 XP
0x3FHunter500 XP
0x7FOperator1,200 XP
0x9FAuditor2,200 XPcertifiable
0xCFSenior4,000 XPcertifiable
0xFFPrincipal7,000 XPcertifiable
▦ Incident recreations
Learn from the breaches that actually happened.
Faithful sandboxed reconstructions of landmark exploits. Run the same attack, read the same post-mortem.
CriticalAdvanced
The validator majority
Ronin-style validator-key compromise on a cross-chain bridge. Attacker obtained majority validator signatures to authorise fraudulent withdrawals.
Historic impact · $625MOpen lab →
CriticalExpert
The forged signature
Wormhole-style signature-verification bypass on a cross-chain bridge. A missing validation step allowed fabricated guardian signatures to pass.
Historic impact · $326MOpen lab →
Recreations are educational reconstructions on isolated testnets, for responsible learning and disclosure — never to target live systems.
▦ What you get
Everything the range gives you.
Sandboxed testnet
No real chain, no real funds. Break anything, replay as often as you like.
Five-stage labs
Briefing → Code → Exploit → Post-Mortem → Report. The whole workflow, not a flag.
Audit reports
Every solved lab becomes a portfolio-grade finding on your public profile.
0xPuzzles
A zero-Solidity on-ramp — learn to think like an attacker before you read code.
Daily challenge
A fresh puzzle every day, with a streak to keep you sharp.
Quizzes
Themed knowledge checks that teach from every answer, right or wrong.
Leaderboard
XP from everything you do climbs one public ranking of the range.
Built for defence
Learn offence to build defence — ethically, on isolated systems, every time.
Every lab has a walkthrough.
The channel and the range are one classroom. Watch an exploit unfold, then reproduce it yourself. The two reinforce each other.
[ channel feature embed ]12:34
◇ Step onto the range
Where Web3 auditors are forged.
Start with a puzzle, break your first contract, and write a finding worth showing — all free, all in a sandbox. No setup, no real funds, no risk.
Isolated sandbox · no real chain · no real funds · no setup required