Normal behavior: The battle module (rap_battle.move) should determine the winner between two players in an unpredictable and fair way.
Issue: The code uses timestamp::now_seconds() as a randomness source, which is deterministic and predictable. Attackers can time transactions or repeatedly attempt until the result favors them.
Likelihood:
Every battle resolution relies on a predictable system value (timestamp::now_seconds()).
Validators and attackers can easily anticipate or influence timestamps, so manipulation can occur consistently during battles.
Impact:
Attackers can systematically bias outcomes and drain the CRED prize pools.
Honest players suffer repeated unfair losses, damaging trust in the protocol.
VulnerableBattle mimics the rap_battle.move logic, but in Solidity style: randomness is block.timestamp.
Attacker repeatedly simulates the outcome by observing block.timestamp % 2.
The attacker waits or re-submits until they get a winning condition → biased outcome.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.