The dangers of using blockhash and block timestamp for randomness in Ethereum contracts (2024)

See Also

blockhash and block.timestamp are two properties of blocks in the Ethereum blockchain that contract developers often use to generate random numbers. However, there are several reasons why these methods should be avoided for this purpose.

First, the blockhash of a block is determined by the transactions and state roots of the previous block. This means that it is not truly random, as it is based on known information when the block is mined.

Similarly, the block timestamp is set by the block's miner and is not guaranteed to be accurate. Miners can manipulate the timestamp to their advantage, leading to potential security vulnerabilities.

Additionally, both blockhash and block timestamp are deterministic, which means that they will always produce the same output given the same input. This makes it easy for attackers to predict the output of these functions and exploit any vulnerabilities that may exist in your contract.

Here is an example:

contract GuessRandomNo {
 contructor() payable {} function guessNo(uint _guess) public {
 uint anser = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
 }
 if (_guess == answer){
 (bool sent, ) = msg.sender.call{value: 1 ether}("");
 require(sent, "Failed to send ether");
 }
}

The above vulnerability can easily be exploited:

contract Attack {
 receive() external payable {} function attact(GuessTheRandomNumber guessTheRandomNumber) public {
 uint answer = uint(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));
 guessRandomNo.guessNo(answer);
 }
 function getBalance() public view returns(uint) {
 return address(this).balance;
 }
}

Since both the transaction will be in the same block, the blocknumber and therefore blockhash will be same, and block.timestamp will also be the same, and therefore, attacker can easily find the random number and extract the ethers out of the contract.

In summary, it is important to be cautious when using blockhash and block.timestamp for generating random numbers in your contracts. Instead, consider using Oracles like chainlink VRF.

FAQs

The dangers of using blockhash and block timestamp for randomness in Ethereum contracts? ›

Additionally, both blockhash and block timestamp are deterministic, which means that they will always produce the same output given the same input. This makes it easy for attackers to predict the output of these functions and exploit any vulnerabilities that may exist in your contract.

Read On ›

Is it safe to use a block timestamp? ›

Attackers can manipulate block timestamps to their advantage, enabling them to exploit timing-related vulnerabilities in smart contracts. For example, by altering the timestamp, an attacker can execute a function multiple times within a short period, bypassing restrictions or draining resources.

Discover More Details ›

How accurate is Ethereum block timestamp? ›

In theory, the mean accuracy of Ethereum timestamps can vary in up to tens of seconds. In practice, Ethereum block timestamps can allow to backdate transactions.

What is the block hash function in Ethereum? ›

The most commonly used hash function on Ethereum is Keccak256. However, it's crucial to exercise caution, as some libraries may refer to Keccak256 as SHA-256, which is a distinct hash function. SHA-256 is a variant of SHA-2 (Secure Hash Algorithm 2) with a 256-bit output and is extensively employed by Bitcoin.

See Details ›

What is a block timestamp? ›

Definition: block. timestamp is a global variable representing the current timestamp of the block being mined. Format: The timestamp is measured in seconds since the Unix epoch (January 1, 1970). Data Type: It is of the uint256 data type.

Find Out More ›

What are the disadvantages of timestamp ordering protocol? ›

2 Drawbacks of timestamp ordering protocols

One of the drawbacks is that they may cause unnecessary aborts, which are transactions that are terminated before they complete. This can happen when a transaction accesses a data item that has been read by a later transaction, even if there is no conflict or update.

Tell Me More ›

What is timestamp vulnerability? ›

The vulnerability of timestamp disclosure in Unix occurs when an application or web server inadvertently reveals the timestamp of a request or response. This can happen through various means, such as including the timestamp in server logs or error messages.

Show Me More ›

What is the purpose of a block hash? ›

In blockchain, a block hash is a unique identifier for each block, generated by applying a cryptographic hash function to the block's data. It serves as a digital fingerprint, representing the entire block's contents. The block hash ensures the integrity and security of the blockchain by preventing tampering.

Explore More ›

What is the block time for Ethereum? ›

Ethereum Average Block Time is at a current level of 12.06, unchanged from 12.06 yesterday and down from 12.09 one year ago. This is a change of 0.00% from yesterday and -0.25% from one year ago.

What is a Blockhash? ›

A “blockhash” refers to the last Proof of History (PoH) hash for a “slot” (description below). Since Solana uses PoH as a trusted clock, a transaction's recent blockhash can be thought of as a timestamp.

Show Me More ›

What is the difference between hash and timestamp? ›

The cryptographic hash function is a fundamental component of a Timestamping token. It generates a unique and irreversible hash value for the original data. The hash function, such as SHA-256 (Secure Hash Algorithm 256-bit), takes the input data and produces a fixed-size output called the hash digest.

Read The Full Story ›

What is the purpose of a timestamp? ›

A timestamp is a digital record of the date and time when an event occurred, usually represented in a human-readable format. In computing, it is commonly used to track when data was created, modified, or accessed.

See Details ›

Can miners manipulate block timestamp? ›

timestamp is miner manipulation. Miners have some degree of control over the timestamp of a block they are mining. This means that they can manipulate the value of block. timestamp to their advantage.

Get More Info Here ›

Why should you stop using block timestamp as deadline in swaps? ›

Since block. timestamp is always relative, using it in any way is equivalent to using no deadline at all. Needs to use a user defined input to effectively enforce any deadline. Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted.

Can miners manipulate block timestamps? ›

Are timestamps reliable? ›

Timestamps are often found to be dirty in many cases. Without cleaning up inaccurate timestamps, time-related applications such as provenance analysis or pattern queries are not reliable. To evaluate the correctness of timestamps, temporal constraints can be applied, declaring distance limits between timestamps.

View Details ›

What is considered a valid block timestamp in Bitcoin? ›

A timestamp is accepted as valid if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours. "Network-adjusted time" is the median of the timestamps returned by all nodes connected to you.