How to discover 'random' numbers in Avalanche blockchain solidity code

Question

I am trying to help someone discover how their code was hacked.

They use a random number generator in the blockchain like this:

uint256 random = uint256(
                    keccak256(
                        abi.encodePacked(
                            block.difficulty,
                            block.timestamp,
                            msg.sender                            
                        )
                    )
                ) % 100;
if (random >= 90) {
        //get1;
    } else {
        //get2;
    }

to get a random number between 1 and 100. Someone was able to 'guess' when to submit a transaction to always get 2.... I have been told it may be forking the chain but I still do not see how. This is on the Avalanche chain where blocks are random times so there are 2 questions:

1: how do you guess block.timestamp of a future block on Avalanche? I can come very close in attempts(take the average over the last 10 block) to guess what 1 or 2 blocks ahead will be but only about 70% of the time

2: more importantly, for this to work, how do you get a transaction through on that specific block? I have tried raising gas etc but have been unsuccessful at targeting a block

I am currently using python web3 to test(on main chain not forking) but any language(even theory) would be a step in the right direction.

Thanks

Answer 1

These types of attack ("guessing" a specific pseudo-random number) usually come from miners (PoW) and validators (PoS).

When a miner/validator publishes a blocks, they include an arbitrary block.timestamp value. As long as the timestamp is in an expected range (larger than the last block timestamp, and around the expected new block time), the network accepts it.

They are also able to put an arbitrary transaction (signed by an address they hold the private key to) to the very same block they publish. This transaction doesn't even need to go through the mempool.