Normal behavior: The battle module (rap_battle.move
) should determine the winner between two players in an unpredictable and fair way.
Issue: The code uses timestamp::now_seconds()
as a randomness source, which is deterministic and predictable. Attackers can time transactions or repeatedly attempt until the result favors them.
Likelihood:
Every battle resolution relies on a predictable system value (timestamp::now_seconds()
).
Validators and attackers can easily anticipate or influence timestamps, so manipulation can occur consistently during battles.
Impact:
Attackers can systematically bias outcomes and drain the CRED prize pools.
Honest players suffer repeated unfair losses, damaging trust in the protocol.
VulnerableBattle
mimics the rap_battle.move
logic, but in Solidity style: randomness is block.timestamp
.
Attacker
repeatedly simulates the outcome by observing block.timestamp % 2
.
The attacker waits or re-submits until they get a winning condition → biased outcome.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.