Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Unsafe randomness in CustomerEngine.trigger_demand

kaloyanstoyanov113

CustomerEngine.trigger_demand derives a pseudo-random seed using the current block timestamp and the caller address. Example excerpt from the contract:

Description

  • CustomerEngine.trigger_demand derives a pseudo-random seed using the current block timestamp and the caller address. Example excerpt from the contract:

  • The seed is then used to compute a demand size and an extra-item chance. Because block.timestamp is a miner-influenced field, and msg.sender is known to the caller, this seed is predictable and manipulable.

# CustomerEngine::trigger_demand
seed: uint256 = convert(
keccak256(
concat(
convert(block.timestamp, bytes32), convert(msg.sender, bytes32)
)
),
uint256,
)

Risk

Likelihood: Medium

  • Common mistake, easy to exploit when financial incentives exist.

Impact: High

  • Attackers or colluding miners can bias demand size to obtain more items, move funds, or otherwise game economics.

Recommended Mitigation

  • Use a secure on-chain randomness oracle such as Chainlink VRF for any security-critical randomness.

  • Or adopt a commit-reveal scheme: user commits a hash in one transaction and reveals in a later transaction; combine the revealed nonce with on-chain entropy (previous blockhash) to derive randomness

Updates

Lead Judging Commences

0xshaedyw Lead Judge
6 days ago
0xshaedyw Lead Judge 5 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Medium – Predictable Seed

Demand randomness is grindable via timestamp and sender, enabling biased outcomes and reputation manipulation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.