Reliance on Insecure Random Numbers

Why is this important?

Ability to generate random numbers is very helpful in all kinds of applications. One obvious example is gambling DApps, where pseudo-random number generator is used to pick the winner. However, creating a strong enough source of randomness in Ethereum is very challenging. For example, use of block.timestamp is insecure, as a miner can choose to provide any timestamp within a few seconds and still get his block accepted by others. Other examples of insecure fields are:

  • blockhash
  • block.difficulty

Secure Random Numbers

Instead of relying on insecure randomness from chain attributes, consider:

  • Using commitment schemes, e.g. RANDAO.
  • Using external sources of randomness via oracles, e.g. Oraclize.
  • Using Bitcoin block hashes, as they are more expensive to mine.

More information: