Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Predictable Demand Randomness

Author Revealed upon completion

Root + Impact

Description

CustomerEngine.trigger_demand chooses demand size using only block.timestamp and msg.sender. Both are attacker controlled: callers can schedule submissions to favorable timestamps or spam transactions in a single block; miners can skew timestamps within consensus limits.

seed: uint256 = convert(

keccak256(

concat(

convert(block.timestamp, bytes32),

convert(msg.sender, bytes32),

)

uint256,

)

requested: uint256 = min((seed % 5) + 1 + extra_item_chance, MAX_REQUEST)

Risk

Likelihood: Any motivated caller or searcher can manipulate timestamps or addresses; the exploit requires no privileges.

Impact:

Users bias the pseudo-random draw toward higher-requested quantities, skewing revenues and reputation adjustments.
MEV actors can place their transactions in favorable positions, undermining fairness.
Griefers can force repetitive minimum-size orders to reduce operational efficiency.

Proof of Concept

Submit multiple transactions in the same block with different addresses, each trying to push for requested == MAX_REQUEST.
Retain only the transaction that yields the desired value, letting the rest revert or drop.
Alternatively, mine (or collaborate with a miner) to nudge block.timestamp forward or backward, altering seed.

Illustrative Python snippet:

for nonce in range(10):

tx = engine.trigger_demand.transact({'from': account[nonce], 'value': price})

receipt = wait(tx)

if decode_requested(receipt.logs) == engine.MAX_REQUEST():

break

Recommended Mitigation

Replace the ad hoc seed with an oracle-backed randomness source (e.g., Chainlink VRF) or commit–reveal mechanism.
At minimum, include on-chain entropy that attackers cannot fully control, such as future block hashes or aggregated historical values.
Document the predictability so integrators can price the bias appropriately if stronger randomness is out of scope.

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.