The rap_battle
module derives battle randomness from timestamp::now_seconds()
making it insecure because:
Anyone can see the timestamp off-chain, making it predictable
Aptos validators can manipulate block timestamps within allowed drift.
This creates an unfair battle system where malicious players consistently win, draining honest players’ Coin<CRED>
wagers.
Players can locally pre-compute outcomes and only submit challenges they are sure to win.
Validators can bias outcomes by adjusting timestamps to favor their own Rapper.
Attacker can simulate results locally,
Attacker reads timestamp::now_seconds()
off-chain
Runs same calculation locally to know the winner in advance
If outcome is favorable they submit battle transaction
If not they skip showing they only play battle they'll win
Replace timestamp::now_seconds()
RNG with a commit–reveal scheme
This ensures that neither player alone can bias randomness, validators cannot unilaterally change outcomes & battle fairness is preserved.
Until commit–reveal is implemented, outcomes should be clearly documented as pseudo-random and insecure, so players understand the risk.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.