Reliance on Insecure Random Numbers

Why is this important?

Ability to generate random numbers is very helpful in all kinds of applications. One obvious example is gambling DApps, where pseudo-random number generator is used to pick the winner. However, creating a strong enough source of randomness in Ethereum is very challenging. For example, use of block.timestamp is insecure, as a miner can choose to provide any timestamp within a few seconds and still get his block accepted by others. Other examples of insecure fields are:

• blockhash
• block.difficulty

Secure Random Numbers

Instead of relying on insecure randomness from chain attributes, consider:

• Using commitment schemes, e.g. RANDAO.
• Using external sources of randomness via oracles, e.g. Oraclize.
• Using Bitcoin block hashes, as they are more expensive to mine.

More information:

• Smart Contract Weakness Classification (SWC 120)
• Common Weakness Enumeration (CWE-330)
• RanDAO