Developers Forum for XinFin XDC Network

Sina Mahmoodi
Sina Mahmoodi

Posted on

Security analysis of PREVRANDAO opcode (block.prevrandao)

Summary

Blockchains are deterministic machines. In an indeterministic world, many real-world use-cases require randomness in their decentralized applications. We would like to warn developers of using block.prevrandao in Solidity as a source of randomness in application such as lottery.

This post will highlight the reasoning for this and show results of an analysis into the history of the chain which aims to detect any vulnerable contracts. 11 contracts were detected to have invoked this opcode from block 70300000 to block 80300000 (10 million recent blocks). To the authors relief the contracts detected have no funds at stake.

Note on PREVRANDAO

Since block 76321000 the XDC network has activated a version of EIP-4399. It adds the PREVRANDAO opcode to the EVM, or rather replaces the existing opcode DIFFICULTY which was meaningless in the DPoS consensus algorithm of XDC. This new opcode is exposed to developers through block.prevrandao since Solidity v0.8.18.

PREVRANDAO essentially returns the keccak256 hash of the current block number. The reader might recognize that block numbers are always incrementing. This means that the value of PREVRANDAO can be precomputed for every future block in advance with negligible amount of computation.

The authors advise against using block.prevrandao (or block.difficulty) as a source of randomness in applications, specially when funds can be moved on a condition based on the random number, as in lottery applications.

Analysis of existing contracts

The goal here was to do a thorough analysis of the chain, find any contracts that might be using this opcode and assess their risk level, try to contact the maintainers if necessary.

A tool was developed (read more) which is able to crunch through past blocks and transactions and find any invocation of this (or any other) opcode. We ran this tool for the range of blocks between 70300000 to 80300000 and found the following contracts as potentially vulnerable:

  1. 0x07bcc79ee3bb77b82cf66ffb48dc8fa19b3bd017
  2. 0x1dba493855dd9ed04be903f3fd30288465bb8301
  3. 0x1eec6f02a5e237184a00adbc7842faabc433944e
  4. 0x28d7c6f15a7151ded8a30913df523652c7f0ece6
  5. 0x60df7c8b3892f5cefd388d156230a40a6f6ea51b
  6. 0x7526b430b9d8a6f75da2d21be07fe1b11635cdde
  7. 0x7bf8b41759737957694b57c8f3939a7abfa12ac5
  8. 0x9bd9d6c5dc73facfe662a8692f03e844f70b4c0d
  9. 0xad749e101f8291418203d5b81eef5f088362e7d5
  10. 0xd1110f51da7cc743acce406889cc1897ea5e3a08
  11. 0xda8474fb954c76bd2cd23d789c3f3b28c832600d

After assessing there is no funds at risk we have decided to publish this post for the community's benefit. If you have any question about this please reach out.

Discussion (0)