Predictable Randomness in Battle Resolution
Description
This vulnerability represents a critical security flaw that completely undermines the game's integrity. The predictable randomness allows attackers to manipulate battle outcomes with 100% success rate, leading to:
Root + Impact
The battle resolution mechanism in rap_battle.move uses timestamp::now_seconds() as a source of randomness, which is highly predictable and manipulatable:
Risk
Predictable Source: timestamp::now_seconds() returns the current Unix timestamp, which is publicly known
Deterministic Calculation: The modulo operation with total skill points creates a predictable pattern
Timing Control: Attackers can control when transactions are mined to influence outcomes
No Entropy: The system lacks any true randomness source
Impact:
Direct Impact:
Battle Outcome Manipulation: Attackers can predict and control who wins battles
Economic Exploitation: Predictable outcomes enable profitable betting strategies
Game Balance Destruction: The skill-based system becomes meaningless
User Trust Loss: Players lose confidence in fair gameplay
Recommended Mitigation
Replace predictable randomness with proper entropy source.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.