One Shot: Reloaded
First Flight #47
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable Randomness in Battle Resolution

0xadwa

Description

This vulnerability represents a critical security flaw that completely undermines the game's integrity. The predictable randomness allows attackers to manipulate battle outcomes with 100% success rate, leading to:

Root + Impact

The battle resolution mechanism in rap_battle.move uses timestamp::now_seconds() as a source of randomness, which is highly predictable and manipulatable:

// Line 92 in rap_battle.move
let rnd = timestamp::now_seconds() % (if (total_skill == 0) { 1 } else { total_skill });
let winner = if (rnd < defender_skill) { defender_addr } else { chall_addr };

Risk

  1. Predictable Source: timestamp::now_seconds() returns the current Unix timestamp, which is publicly known

  2. Deterministic Calculation: The modulo operation with total skill points creates a predictable pattern

  3. Timing Control: Attackers can control when transactions are mined to influence outcomes

  4. No Entropy: The system lacks any true randomness source

Impact:

Direct Impact:

  • Battle Outcome Manipulation: Attackers can predict and control who wins battles

  • Economic Exploitation: Predictable outcomes enable profitable betting strategies

  • Game Balance Destruction: The skill-based system becomes meaningless

  • User Trust Loss: Players lose confidence in fair gameplay

Recommended Mitigation

Replace predictable randomness with proper entropy source.

Updates

Lead Judging Commences

bube Lead Judge 18 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Predictable randomness

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.