Reliance on Insecure Random Numbers
Why is this important?
Ability to generate random numbers is very helpful in all kinds of
applications. One obvious example is gambling DApps, where pseudo-random
number generator is used to pick the winner. However, creating a strong
enough source of randomness in Ethereum is very challenging. For example,
use of block.timestamp
is insecure, as a miner can choose to provide any
timestamp within a few seconds and still get his block accepted by others.
Other examples of insecure fields are:
blockhash
block.difficulty
Secure Random Numbers
Instead of relying on insecure randomness from chain attributes, consider:
- Using commitment schemes, e.g. RANDAO.
- Using external sources of randomness via oracles, e.g. Oraclize.
- Using Bitcoin block hashes, as they are more expensive to mine.