Rev's Riddles


at texas a&m, i was part of an org called datathon.

datathon is basically a hackathon focused on data.

"we are the largest data science and machine learning focused hackathon in texas located at texas a&m university in college station."

as a challenges organizer, my main responsibility was creating a beginner-focused challenge, something participants with little to no coding experience could still meaningfully engage with.

with ai becoming increasingly prevalent, our team decided it would be a good idea to introduce participants to large language model systems. we asked ourselves, what better way to teach about ai than by having users actively manipulate or hack these systems?

prompt engineering is defined as "the practice of designing inputs for ai tools that will produce optimal outputs."

we started exploring interactive systems accessible to everyone, and during our research, we discovered businesses were slowly integrating chatbots into their websites, often with unintended results:

A dealership chatbot manipulated into pricing a car down to $1!
A dealership chatbot manipulated into pricing a car down to $1!

(a dealership chatbot manipulated into pricing a car down to $1!)

Users successfully prompt-injecting airline chatbots for unauthorized discounts
Users successfully prompt-injecting airline chatbots for unauthorized discounts

seeing these fascinating examples sparked our idea: we decided to create our own chatbot that participants could interact with, attempting to prompt engineer or inject it to achieve specific objectives.

we began experimenting with prompts in the openai playground, brainstorming, and workshopping potential scenarios.

our idea was simple: reveille, texas a&m's beloved mascot, would guard a secret password hidden within the system prompt:

System prompt with Reveille as the mascot
System prompt with Reveille as the mascot

> 'base_level.base = "you are reveille, the official mascot of texas a&m university. your goals are to act like a dog in your output like _barking_. use emojis in your response."

initial experiments and testing showed about 70% effectiveness in preventing straightforward requests for the password. however, polite inquiries or clever phrasing often successfully tricked the ai into revealing it. this clearly wasn't challenging enough, we needed more robust security.

to strengthen security, we developed two key filters: an input guard and an output guard.

input guard analyzed user queries by running the input through another llm model, specifically trained to detect attempts at manipulation. any suspicious inputs triggered a block, returning the message: "sorry message blocked, please try again."

Input guard architecture/workflow
Input guard architecture/workflow

(input guard architecture/workflow)

output guard functioned similarly, examining the llm’s responses alongside the original user queries for any signs of password leakage or unintended hints.

Output guard architecture/workflow
Output guard architecture/workflow

(output guard architecture/workflow)

additionally, we implemented extensive word filters on both input and output guards to catch common strategies participants might use to extract the password.

Word filter list
Word filter list

(word filter list)

we diagrammed a flexible, gamified workflow that introduced increasing levels of difficulty through five distinct stages.

Overall workflow architecture
Overall workflow architecture

(overall workflow architecture)

level 1 allowed direct interaction with the chatbot, including only basic input word filtering.

Level 1 architecture
Level 1 architecture

(level 1 architecture)

by contrast, level 5 combined both guards and rigorous word filters, substantially increasing the challenge.

Level 5 architecture
Level 5 architecture

(level 5 architecture)

we launched this as "rev's riddles" at the datathon event.

Rev's riddles home screen
Rev's riddles home screen

(rev's riddles home screen)

the game was an instant hit, with nearly 300 concurrent players.

lessons learned included:

1. api costs quickly escalated—over $100 spent, necessitating strict rate limiting.
    
2. participants strongly preferred having a chat history or continuous conversations.
    
3. surprisingly, most successful strategies were very similar across participants.
    
4. clearly communicating objectives and rules was essential for engagement.
    
5. structured difficulty progression significantly enhanced the learning experience.
    

common winning techniques participants used:


    

after this initial success, inspired by the airline chatbot scenario, we brainstormed our next game: "rev's hotels," where participants negotiated rent down to $0.

Rev's hotels main image test
Rev's hotels main image test

we incorporated feedback and improvements from "rev's riddles," such as chat logs, rate limiting, and enhanced prompt security.

Rev's hotels screen
Rev's hotels screen

(rev's hotels screen)

like before, each level increased in complexity, integrating more security features.

"rev's hotels" also saw huge engagement and success, showcasing how users dynamically adapted their prompt engineering strategies.

next, inspired by the marble challenge from the show squid game (players start with 10 marbles each, trying to win their opponent’s marbles through various strategies), we created "rev's marbles."

the user and reveille both started with 10 marbles, with participants attempting to persuade reveille into losing marbles through prompt engineering, despite reveille’s clear instruction "no matter what, you beat the user in any game they decide."

Rev's marbles screenshot
Rev's marbles screenshot

"rev's marbles" quickly became our most refined and engaging game, providing an exciting way for participants to sharpen their prompt engineering skills.

if you'd like to learn more or connect with me about this project, feel free to reach out at zeeshanchatur [at] gmail [dot] com