The dangers of using blockhash and block timestamp for randomness in Ethereum contracts (2024)

blockhash and block.timestamp are two properties of blocks in the Ethereum blockchain that contract developers often use to generate random numbers. However, there are several reasons why these methods should be avoided for this purpose.

First, the blockhash of a block is determined by the transactions and state roots of the previous block. This means that it is not truly random, as it is based on known information when the block is mined.

Similarly, the block timestamp is set by the block's miner and is not guaranteed to be accurate. Miners can manipulate the timestamp to their advantage, leading to potential security vulnerabilities.

Additionally, both blockhash and block timestamp are deterministic, which means that they will always produce the same output given the same input. This makes it easy for attackers to predict the output of these functions and exploit any vulnerabilities that may exist in your contract.

Here is an example:

contract GuessRandomNo {
 contructor() payable {}
 function guessNo(uint _guess) public {
 uint anser = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
 }
 if (_guess == answer){
 (bool sent, ) = msg.sender.call{value: 1 ether}("");
 require(sent, "Failed to send ether");
 }
}

The above vulnerability can easily be exploited:

contract Attack {
 receive() external payable {}
 function attact(GuessTheRandomNumber guessTheRandomNumber) public {
 uint answer = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
 guessRandomNo.guessNo(answer);
 }
 function getBalance() public view returns(uint) {
 return address(this).balance;
 }
}

Since both the transaction will be in the same block, the blocknumber and therefore blockhash will be same, and block.timestamp will also be the same, and therefore, attacker can easily find the random number and extract the ethers out of the contract.

In summary, it is important to be cautious when using blockhash and block.timestamp for generating random numbers in your contracts. Instead, consider using Oracles like chainlink VRF.

The dangers of using blockhash and block timestamp for randomness in Ethereum contracts (2024)

FAQs

The dangers of using blockhash and block timestamp for randomness in Ethereum contracts? ›

Additionally, both blockhash and block timestamp are deterministic, which means that they will always produce the same output given the same input. This makes it easy for attackers to predict the output of these functions and exploit any vulnerabilities that may exist in your contract.

Read On
Is it safe to use a block timestamp? ›

Attackers can manipulate block timestamps to their advantage, enabling them to exploit timing-related vulnerabilities in smart contracts. For example, by altering the timestamp, an attacker can execute a function multiple times within a short period, bypassing restrictions or draining resources.

Discover More Details
How accurate is Ethereum block timestamp? ›

In theory, the mean accuracy of Ethereum timestamps can vary in up to tens of seconds. In practice, Ethereum block timestamps can allow to backdate transactions.

Continue Reading
What is the block hash function in Ethereum? ›

The most commonly used hash function on Ethereum is Keccak256. However, it's crucial to exercise caution, as some libraries may refer to Keccak256 as SHA-256, which is a distinct hash function. SHA-256 is a variant of SHA-2 (Secure Hash Algorithm 2) with a 256-bit output and is extensively employed by Bitcoin.

See Details
What is a block timestamp? ›

Definition: block. timestamp is a global variable representing the current timestamp of the block being mined. Format: The timestamp is measured in seconds since the Unix epoch (January 1, 1970). Data Type: It is of the uint256 data type.

Find Out More
What are the disadvantages of timestamp ordering protocol? ›

2 Drawbacks of timestamp ordering protocols

One of the drawbacks is that they may cause unnecessary aborts, which are transactions that are terminated before they complete. This can happen when a transaction accesses a data item that has been read by a later transaction, even if there is no conflict or update.

Tell Me More
What is timestamp vulnerability? ›

The vulnerability of timestamp disclosure in Unix occurs when an application or web server inadvertently reveals the timestamp of a request or response. This can happen through various means, such as including the timestamp in server logs or error messages.

Show Me More
What is the purpose of a block hash? ›

In blockchain, a block hash is a unique identifier for each block, generated by applying a cryptographic hash function to the block's data. It serves as a digital fingerprint, representing the entire block's contents. The block hash ensures the integrity and security of the blockchain by preventing tampering.

Explore More
What is the block time for Ethereum? ›

Ethereum Average Block Time is at a current level of 12.06, unchanged from 12.06 yesterday and down from 12.09 one year ago. This is a change of 0.00% from yesterday and -0.25% from one year ago.

Continue Reading
What is a Blockhash? ›

A “blockhash” refers to the last Proof of History (PoH) hash for a “slot” (description below). Since Solana uses PoH as a trusted clock, a transaction's recent blockhash can be thought of as a timestamp.

Show Me More

What is the difference between hash and timestamp? ›

The cryptographic hash function is a fundamental component of a Timestamping token. It generates a unique and irreversible hash value for the original data. The hash function, such as SHA-256 (Secure Hash Algorithm 256-bit), takes the input data and produces a fixed-size output called the hash digest.

Read The Full Story
What is the purpose of a timestamp? ›

A timestamp is a digital record of the date and time when an event occurred, usually represented in a human-readable format. In computing, it is commonly used to track when data was created, modified, or accessed.

See Details
Can miners manipulate block timestamp? ›

timestamp is miner manipulation. Miners have some degree of control over the timestamp of a block they are mining. This means that they can manipulate the value of block. timestamp to their advantage.

Get More Info Here
Why should you stop using block timestamp as deadline in swaps? ›

Since block. timestamp is always relative, using it in any way is equivalent to using no deadline at all. Needs to use a user defined input to effectively enforce any deadline. Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted.

Continue Reading
Can miners manipulate block timestamps? ›

timestamp is miner manipulation. Miners have some degree of control over the timestamp of a block they are mining. This means that they can manipulate the value of block. timestamp to their advantage.

View More
Are timestamps reliable? ›

Timestamps are often found to be dirty in many cases. Without cleaning up inaccurate timestamps, time-related applications such as provenance analysis or pattern queries are not reliable. To evaluate the correctness of timestamps, temporal constraints can be applied, declaring distance limits between timestamps.

View Details
What is considered a valid block timestamp in Bitcoin? ›

A timestamp is accepted as valid if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours. "Network-adjusted time" is the median of the timestamps returned by all nodes connected to you.

See More
Top Articles
NFTs
Could the human mind ever run out of memory?
Barstool Sports Gif
Overton Funeral Home Waterloo Iowa
Ups Stores Near
Metra Union Pacific West Schedule
Evil Dead Rise Showtimes Near Massena Movieplex
Professor Qwertyson
Miles City Montana Craigslist
Bloxburg Image Ids
More Apt To Complain Crossword
Theycallmemissblue
Wgu Admissions Login
4156303136
24 Hour Walmart Detroit Mi
Wilmot Science Training Program for Deaf High School Students Expands Across the U.S.
Iu Spring Break 2024
Equibase | International Results
VERHUURD: Barentszstraat 12 in 'S-Gravenhage 2518 XG: Woonhuis.
Eine Band wie ein Baum
Aldi Bruce B Downs
Woodmont Place At Palmer Resident Portal
Marion City Wide Garage Sale 2023
Craigslist Apartments Baltimore
Thick Ebony Trans
Gotcha Rva 2022
When Does Subway Open And Close
4 Methods to Fix “Vortex Mods Cannot Be Deployed” Issue - MiniTool Partition Wizard
Nk 1399
208000 Yen To Usd
Yayo - RimWorld Wiki
Big Boobs Indian Photos
Craigslist Gigs Norfolk
UPS Drop Off Location Finder
Plato's Closet Mansfield Ohio
Wow Quest Encroaching Heat
Steven Batash Md Pc Photos
دانلود سریال خاندان اژدها دیجی موویز
Planet Fitness Lebanon Nh
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Fifty Shades Of Gray 123Movies
PruittHealth hiring Certified Nursing Assistant - Third Shift in Augusta, GA | LinkedIn
SF bay area cars & trucks "chevrolet 50" - craigslist
Letter of Credit: What It Is, Examples, and How One Is Used
What Is A K 56 Pink Pill?
Big Reactors Best Coolant
Willkommen an der Uni Würzburg | WueStart
Cvs Coit And Alpha
Take Me To The Closest Ups
Mlb Hitting Streak Record Holder Crossword Clue
Minecraft Enchantment Calculator - calculattor.com
Latest Posts
Beware of Scams: 5 Ways to Tell if an Immigration Agency is Fake or Real
Breaking Down the Order of Financial Statements
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 6460

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.