Pseudo-randomness using timestamp-based RNG will cause the battle outcome be manipulated.
Root + Impact
Description
-
Battle winners are determined using timestamp::now_seconds() % total_skill as a pseudo-random value. Timestamps are predictable and advance in seconds, while total_skill is small (typically 100-150), creating a limited, manipulable range. Aptos validators and users can influence transaction timing, allowing outcome prediction or biasing.
Risk
Likelihood:
-
Likelihood is medium, it requires timing manipulation (e.g., retrying transactions), which is feasible for motivated attackers with off-chain simulation tools.
Impact:
-
Players can predict or manipulate battle results, leading to unfair wins/losses. High-stakes battles could be exploited for CRED gains or win farming.
-
This undermines the game's integrity, as skill-based probabilities are not enforced reliably, potentially causing economic imbalances or user frustration.
Proof of Concept
-
Users can query current timestamp via Aptos API and simulate rnd = now_seconds % (defender_skill + challenger_skill).
-
Then submit challenge transaction (or use bots) when rnd favors the desired winner.
Recommended Mitigation
-
Replace timestamp RNG with Aptos' secure randomness API (e.g., integrate aptos_framework::randomness or drand-based solutions).
-
Use a larger entropy source if needed, like combining timestamp with transaction hash or block data.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.