Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Unsafe randomness in CustomerEngine.trigger_demand

kaloyanstoyanov113

CustomerEngine.trigger_demand derives a pseudo-random seed using the current block timestamp and the caller address. Example excerpt from the contract:

Description

  • CustomerEngine.trigger_demand derives a pseudo-random seed using the current block timestamp and the caller address. Example excerpt from the contract:

  • The seed is then used to compute a demand size and an extra-item chance. Because block.timestamp is a miner-influenced field, and msg.sender is known to the caller, this seed is predictable and manipulable.

# CustomerEngine::trigger_demand
seed: uint256 = convert(
keccak256(
concat(
convert(block.timestamp, bytes32), convert(msg.sender, bytes32)
)
),
uint256,
)

Risk

Likelihood: Medium

  • Common mistake, easy to exploit when financial incentives exist.

Impact: High

  • Attackers or colluding miners can bias demand size to obtain more items, move funds, or otherwise game economics.

Recommended Mitigation

  • Use a secure on-chain randomness oracle such as Chainlink VRF for any security-critical randomness.

  • Or adopt a commit-reveal scheme: user commits a hash in one transaction and reveals in a later transaction; combine the revealed nonce with on-chain entropy (previous blockhash) to derive randomness

Updates

Lead Judging Commences

0xshaedyw Lead Judge
about 2 months ago
0xshaedyw Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Medium – Predictable Seed

Demand randomness is grindable via timestamp and sender, enabling biased outcomes and reputation manipulation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!