One Shot: Reloaded
First Flight #48
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable Randomness in Battle Resolution

0xadwa

Description

This vulnerability represents a critical security flaw that completely undermines the game's integrity. The predictable randomness allows attackers to manipulate battle outcomes with 100% success rate, leading to:

Root + Impact

The battle resolution mechanism in rap_battle.move uses timestamp::now_seconds() as a source of randomness, which is highly predictable and manipulatable:

// Line 92 in rap_battle.move
let rnd = timestamp::now_seconds() % (if (total_skill == 0) { 1 } else { total_skill });
let winner = if (rnd < defender_skill) { defender_addr } else { chall_addr };

Risk

  1. Predictable Source: timestamp::now_seconds() returns the current Unix timestamp, which is publicly known

  2. Deterministic Calculation: The modulo operation with total skill points creates a predictable pattern

  3. Timing Control: Attackers can control when transactions are mined to influence outcomes

  4. No Entropy: The system lacks any true randomness source

Impact:

Direct Impact:

  • Battle Outcome Manipulation: Attackers can predict and control who wins battles

  • Economic Exploitation: Predictable outcomes enable profitable betting strategies

  • Game Balance Destruction: The skill-based system becomes meaningless

  • User Trust Loss: Players lose confidence in fair gameplay

Recommended Mitigation

Replace predictable randomness with proper entropy source.

Updates

Lead Judging Commences

bube Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Predictable randomness

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.