Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Weak/randomness

rajpatil

Root + Impact

The pseudo-random seed uses keccak256(concat(convert(block.timestamp, bytes32), convert(msg.sender, bytes32))). This is predictable and manipulable by miners (they influence timestamp slightly) and by users (msg.sender is known).

Description

Attackers (or miners) can bias requested or extra_item_chance to obtain more items, especially when inventory is low. This can be used to drain inventory or exploit timing.

// Root cause in the codebase with @> marks to highlight the relevant section

seed: uint256 = convert(

keccak256(

concat(

convert(block.timestamp, bytes32), convert(msg.sender, bytes32)

)

uint256,

)

Risk

Likelihood:

A miner can include a transaction at a timestamp that yields a favorable seed or an attacker can try call ordering/back-running to hit a favorable block timestamp.

Proof of Concept

Use a secure randomness source (Chainlink VRF) for important value. If VRF is not available, do not rely on on-chain timestamp randomness for value-sensitive decisions; at minimum use blockhash of a previous block (still not secure) and combine multiple entropy sources and limit the impact of randomness on economic outcome.

Recommended Mitigation

Use a secure randomness source (Chainlink VRF) for important value. If VRF is not available, do not rely on on-chain timestamp randomness for value-sensitive decisions; at minimum use blockhash of a previous block (still not secure) and combine multiple entropy sources and limit the impact of randomness on economic outcome.

- remove this code

# Pseudo-random demand calculation

seed: uint256 = convert(

keccak256(

concat(

convert(block.timestamp, bytes32), convert(msg.sender, bytes32)

)

uint256,

)

+ add this code

Updates

Lead Judging Commences

0xshaedyw Lead Judge

about 1 month ago

0xshaedyw Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Medium – Predictable Seed

Demand randomness is grindable via timestamp and sender, enabling biased outcomes and reputation manipulation.

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!