Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Randomness in `trigger_demand` is not random

duma999

Randomness in trigger_demand is not random

Description

The function trigger_demand as the following lines to calculate the requested items :

seed: uint256 = convert(
keccak256(
concat(
convert(block.timestamp, bytes32), convert(msg.sender, bytes32)
)
),
uint256,
)
base: uint256 = seed % 5 # 0 to 4
extra_item_chance: uint256 = 0
if (seed % 100) < (rep - 50):
extra_item_chance = 1
requested: uint256 = base + 1 + extra_item_chance # 1 to 6
requested = min(requested, MAX_REQUEST) # cap at 5

However, we know that block.timestamp could be predicted; this means someone can systematically request the biggest amount of items.

Risk

Likelyhood(high): Someone could create a bot that do the same exact calculation just before calling the function.

impact(medium): The randomness logic will be destroy and the extra items base on the company reputation will be for nothing but no direct fund lose.

Recommended Mitigation

The recommended mititigation is to use VRFCoordinatorV2 from Chainlink, see this example: https://github.com/smartcontractkit/apeworx-starter-kit/blob/main/contracts/VRFConsumerV2.vy

Updates

Lead Judging Commences

0xshaedyw Lead Judge
9 days ago
0xshaedyw Lead Judge 8 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Medium – Predictable Seed

Demand randomness is grindable via timestamp and sender, enabling biased outcomes and reputation manipulation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.