announcements

Thank you to Execute for reporting a subtle loophole that allowed instant battles in certain circumstances. I have given 3 stars as a reward in accordance with the game's responsible disclosure policy. Happy hunting to anyone this motivates. :)

In more detail, the game's default time per attempt is 800 milliseconds. This can become even less too with buffs that increase battle speed, such as the Spirit of Wolf line of buffs. Before this update, the calculation of "how long do you have to wait until you battle again?" rounded down as a way to get second-granularity timestamps. This means that, for instance, a 13.2 second battle actually only keeps your bot occupied for 13 seconds. Another example is that a 0.8 second battle keeps your bot occupied for 0 seconds. In other words, sub-second battles are actually registered as being instant by the game, potentially allowing someone to accumulate wins against multiple bots simultaneously and/or in rapid succession.

To fix this, the minimum battle time is now 1 second. The calculation still rounds down, so a 13.2 second battle will keep your bot occupied for only 13 seconds, but a 0.8 second battle will now occupy your bot for 1 second.

FWIW, I'm not aware of this ever having actually been exploited, but I still awarded stars because this is pretty subtle/sneaky and the behavior is definitely unintended. It's probably pretty hard to exploit this in practice because the battle needs to have exactly 1 attempt[*], meaning the exploiting bot needs decent intelligence to be able to regularly hit first. You also still need to actually initiate battles each time which probably wouldn't be that much faster than just waiting the extra second. A script could certainly abuse this for a lot of quick wins though.

[*] Or maybe even 2 or 3 attempts with the Spirit of Wolf III buff? I didn't test this.

It was more problematic from my level 80 and 100 dumpers the low dex and no int made them die in 1 hit a vast majority of the time allowing for 3 or more bots depending on speed buffs to dump simultaneously. The high int value bots I also tested (800ish int) actually made it slightly more difficult because they received first hit most of the time resulting in more errors. Thanks for fixing this before someone figured out how to actually exploit it.

I actually mentioned this a few times in the past if I'm understanding it correctly, but only on IRC I think, never thought to report it as a bug. It's doable to say, win dump, with two bots onto one simultaneously with sub 1 second fights. Esv also described how to use it long ago in this thread.

Oh boy, that thread was a...fun trip down memory lane. :) I see Esv's comment about this there, looks like I missed it at the time in the rather lengthy discussion before I engaged.

My hope in announcing these kinds of bug bounty awards publicly is to encourage people to contact me directly with this kind of information more regularly, so hopefully that doesn't happen as much in the future. It always amazes me what kind of weird unintended behavior people can turn up inside a nearly 10 year old codebase that supposedly has had most of the surprises flushed out already.

Esv also described how to use it long ago in this thread.

If I didn't miss anything, I explained why I was getting fights within the same second but against different targets.

However I knew (and sometimes I've done it) that you could fight the same target with 2 bots by attacking it when 1 sec was left in the other fight, saving 1 sec per fight. However, you need to be highly focused to do that.