The vulnerability stems from using timestamp::now_microseconds() as the source of randomness. This approach is fundamentally flawed because:
Timestamps are predictable and can be anticipated by attackers.
Miners/validators can influence or control block timestamps.
The same timestamp will always produce the same "random" value.
Likelihood:
High
Impact:
Impact
Users can potentially manipulate the system to receive maximum airdrop amounts (500 APT instead of random 100-500 APT)
Fairness Impact: Undermines the fairness of the airdrop distribution mechanism
Compromises the integrity of the entire airdrop system
An attacker could:
Monitor blockchain timestamps
Time their transaction submission to coincide with favorable timestamp values
Potentially receive maximum airdrop amounts consistently
Use Aptos' built-in randomness API which provides cryptographically secure, unpredictable randomness:
The `get_random_slice` function should only be called by the owner via the `register_pizza_lover` function. Also, the `owner` is trusted and will not choose a specific time for a new user to register. Therefore, I disagree with the claim of most reports in this group that an attacker can manipulate the random number of pizza slices. But I agree with the root cause of the reports in this group, that the random distribution is not completely random.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.