Submission Details
Impact:
Likelihood:
Weak RNG — Predictable Battle Outcomes
Author Revealed upon completion
Root + Impact
Description
-
Expected behavior: Battle outcomes should depend on fair, unpredictable randomness.
-
Issue: Randomness is derived from
timestamp::now_seconds(), which is predictable and can be influenced by validators or timed transactions.
// rap_battle.move
let t = timestamp::now_seconds(); // @> Weak RNG
let roll = (t + stats_mix) % 100;
Risk
Likelihood:
-
Happens in every battle since outcomes always use
now_seconds(). -
Attackers can spam or time transactions to bias results.
Impact:
-
Predictable or manipulated battle results.
-
Economic losses and fairness concerns
Proof of Concept
// Repeated battle calls with small timing changes
// show deterministic correlation between block timestamp and battle outcome.
Recommended Mitigation
- let t = timestamp::now_seconds();
- let roll = (t + stats_mix) % 100;
+ // Replace with commit–reveal or Aptos randomness source.
+ // Example (pseudo):
+ // let roll = hash(player_seed, opponent_seed, txn_hash) % 100;
Rewards breakdown
nSLOC
436This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.