Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Reputation System Can Be Manipulated by Customer Engine

minionteechs

Root + Impact

Description

Normal behavior:

Reputation should reflect genuine company performance, rewarding successful sales and penalizing failures.
Specific issue:
sell_to_customer() relies entirely on CUSTOMER_ENGINE to trigger sales. A malicious or compromised engine can repeatedly:
- Trigger “successful” sales to inflate reputation, or
- Trigger failed sales to degrade reputation of competitors.
This allows artificial inflation or deflation of reputation, which may influence investor confidence, share price perception, or in-game mechanics.

// Root cause in the codebase with @> marks to highlight the relevant section

@external

def sell_to_customer(requested: uint256):

@> assert msg.sender == self.CUSTOMER_ENGINE, "Not the customer engine!!!"

...

@> if self.inventory >= requested:

@> self.reputation = min(self.reputation + REPUTATION_REWARD, 100)

@> else:

@> self.reputation = min(max(self.reputation - REPUTATION_PENALTY, 0), 100)

Risk

Likelihood:

High — Any attacker controlling a malicious engine can repeatedly call sell_to_customer().

Impact

Medium — Reputation no longer reliably represents performance. Can mislead investors or game logic, potentially enabling economic abuse.

Proof of Concept

Explanation:

The engine calls sell_to_customer() multiple times, forcing the company’s reputation to increase (or decrease if inventory insufficient), bypassing any real performance validation.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

interface ICompany {

function sell_to_customer(uint256 requested) external;

}

contract FakeEngine {

ICompany target;

constructor(address _target) { target = ICompany(_target); }

function manipulateReputation(uint256 n) external {

for (uint256 i = 0; i < n; i++) {

// Repeatedly call to inflate reputation

target.sell_to_customer(1);

}

Recommended Mitigation

Explanation:

Adding a per-engine cooldown or rate limit prevents repeated abuse in short periods, ensuring reputation changes reflect more realistic interactions.

- remove this code

+ add this code

- assert msg.sender == self.CUSTOMER_ENGINE, "Not the customer engine!!!"

+ # Add rate limiting per block or per time window

+ last_call: uint256 = self.last_customer_call[msg.sender]

+ assert block.timestamp >= last_call + 60, "Too frequent calls"

+ self.last_customer_call[msg.sender] = block.timestamp

Updates

Lead Judging Commences

0xshaedyw Lead Judge

5 days ago

0xshaedyw Lead Judge 3 days ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.