Secure Randomness in Solidity: Beyond Block Variables

TL;DR: Blockchain Randomness in Solidity

Block variables (timestamp, blockhash, prevrandao) are predictable and manipulable never use for anything valuable.
Chainlink VRF is the industry standard for provably fair randomness in production applications.
Commit-reveal schemes offer decentralized randomness but require multiple transactions.
The core challenge: Blockchains are deterministic by design, making true randomness impossible on-chain.

1. Why Randomness is Hard on the Blockchain

Generating secure randomness is one of the most challenging problems in smart contract development. While traditional applications can easily access entropy from system clocks or hardware noise, blockchains are deterministic by design every node must compute identical results to maintain consensus.

This fundamental constraint means any randomness derived from on-chain data is inherently public and predictable. Understanding this limitation is critical for building secure decentralized applications, especially blockchain games, NFT drops, and lottery systems.

The PRNG Problem: Traditional computers use pseudorandom number generators (PRNGs) seeded with high-entropy sources like system clocks or hardware noise. These are node-specific values which are unique to each machine and invisible to the rest of the network. Smart contracts cannot access them without breaking consensus, forcing reliance on public blockchain data.

The Determinism Problem

Ethereum's strength is its predictability: every node executing the same transaction must arrive at identical results. This makes on-chain randomness an oxymoron any "random" value computable by one node can be computed by all nodes, including attackers.

2. Common Pitfalls: Why Block Variables Fail

Developers often turn to seemingly unpredictable block variables for randomness. This is always a mistake.

Block.timestamp and Blockhash

// NEVER DO THIS - Vulnerable to manipulation
function badRandom() public view returns (uint256) {
    return uint256(keccak256(abi.encodePacked(
        blockhash(block.number - 1),
        block.timestamp,
        msg.sender
    )));
}

Why this fails:

Validator Control: Block proposers can manipulate timestamps within bounds and choose which transactions to include.
Predictable Attacks: Any user can compute the same "random" value and only execute transactions with favorable outcomes.
Blockhash Limitations: Only accessible for 256 recent blocks; older queries return zero.
256-Block Exploit: If contract logic can be delayed for >256 blocks, blockhash() returns 0x0, creating an exploitable known value.
Validator Re-rolling: Validators can discard unfavorable blocks and try again if the value at stake exceeds block rewards.

Block.prevrandao (The RANDAO Trap)

After Ethereum's Proof-of-Stake transition, block.difficulty became block.prevrandao. While better than timestamp, it's still not secure for smart contracts.

What is RANDAO? It's a mechanism where validators contribute to a shared random number through cryptographic commitments. However, this doesn't solve the manipulation problem.

// Still vulnerable - Don't use for valuable applications
function stillBad() public view returns (uint256) {
    return uint256(keccak256(abi.encodePacked(block.prevrandao, msg.sender)));
}

Vulnerabilities:

Validator Bias: The proposing validator knows prevrandao in advance and can choose to skip their slot if the outcome is unfavorable (but this comes at a cost: they lose proposer rewards).
Same-Block Predictability: All transactions in a block see the same prevrandao value.

Note: The way to avoid this is using a future randao. Instead of using the current prevrandao, applications should commit to using a future value (e.g., block.prevrandao from a block N slots ahead). This prevents the block proposer from knowing the result when decisions are made.

For a practical implementation, see this SE-2 extension.

3. The Gold Standard: Chainlink VRF

Chainlink Verifiable Random Function (VRF) is the industry-standard solution for secure on-chain randomness. It provides cryptographically provable randomness that cannot be manipulated by validators, oracles, or users.

How Chainlink VRF Works

Request: Your contract requests randomness from the VRF Coordinator
Generation: Chainlink nodes generate random numbers with cryptographic proofs
Verification: The coordinator verifies proofs on-chain before delivery
Callback: Your contract receives verifiably random numbers

Basic Implementation

For a complete Chainlink VRF implementation with detailed setup instructions, deployment scripts, and advanced patterns, see our dedicated guide: Chainlink VRF Implementation: Provably Fair Randomness for Smart Contracts

Key VRF Benefits:

Provably Fair: Cryptographic proofs ensure randomness integrity
Manipulation-Resistant: Neither validators nor oracles can bias results
Production-Ready: Used by major DeFi protocols and gaming platforms

4. Decentralized Alternative: Commit-Reveal Schemes

For applications requiring maximum decentralization, commit-reveal schemes provide secure randomness without external oracles.

How Commit-Reveal Works

Commit Phase: Users submit hashed commitments containing secret values
Waiting Period: Time delay prevents manipulation
Reveal Phase: Users reveal their secrets; contract verifies against commitments
Randomness Generation: Combine revealed values to generate unpredictable outcomes

For a deeper understanding, see our dedicated guide: Commit-Reveal Scheme: Decentralized Randomness without Oracles

Protecting Against Replay Attacks

Commit-reveal schemes must protect against replay attacks, where attackers intercept and reuse valid transactions. The defense is using nonces (numbers used once) - unique, incrementing values that make each signature valid only once.

Commit-Reveal Trade-offs

Pros:

Fully decentralized
No external dependencies
Resistant to manipulation

Cons:

Requires multiple transactions
Vulnerable if users don't reveal
More complex user experience

5. Choosing the Right Solution

Method	Security	Decentralization	UX	Best For
Chainlink VRF	Very High	Medium	Good	Gaming, NFTs, lotteries
Commit-Reveal	High	Very High	Poor	Voting, auctions
Block Variables (block.prevrandao)	Low	High	Good	Simple apps, testing, non-critical randomness

Decision Framework

Use Chainlink VRF when:

Building production applications with real value
User experience is important
You need immediate randomness

Use Commit-Reveal when:

Maximum decentralization is required
Multi-transaction UX is acceptable
Building voting or auction systems

Never use block variables when:

Real value is at stake
Fairness matters to users
Security is a concern

6. Best Practices for Secure Randomness

Security Checklist

Never use block variables for valuable applications
Implement proper access controls on randomness functions
Use sufficient confirmation blocks for VRF requests
Include nonces in commit-reveal to prevent replay attacks
Test randomness implementations thoroughly
Consider economic incentives for manipulation

Common Mistakes to Avoid

Insufficient Randomness Sources: Don't rely on predictable inputs
Race Conditions: Ensure proper ordering of operations
Reentrancy Vulnerabilities: Use appropriate guards
Inadequate Testing: Test with adversarial scenarios

7. Real-World Applications (excerpt)

Gaming and NFTs

Dice Games: Provably fair outcomes using Chainlink VRF
NFT Reveals: Random trait assignment for fair launches
Loot Boxes: Transparent randomness for in-game rewards

DeFi Applications

Liquidation Ordering: Fair liquidation sequences
Validator Selection: Random validator assignment
Sampling: Random selection for audits or governance

8. Testing Your Randomness

Whenever you implement randomness, you must also test it thoroughly. Below is a compact example that checks the distribution of a six-sided dice roll.

// Example test for randomness distribution
contract RandomnessTest {
    mapping(uint256 => uint256) public outcomes;
    uint256 public totalRolls;

    function testDistribution(uint256 randomValue) external {
        uint256 result = randomValue % 6 + 1; // Dice roll 1-6
        outcomes[result]++;
        totalRolls++;
    }

    function getDistribution() external view returns (uint256[6] memory) {
        uint256[6] memory distribution;
        for (uint256 i = 0; i < 6; i++) {
            distribution[i] = outcomes[i + 1];
        }
        return distribution;
    }
}

How it Works

Each call to testDistribution simulates rolling a dice.
The contract reduces any randomValue into a result between 1 and 6.
It increments counters so you can track how many times each outcome appeared.
With getDistribution, you can query the frequency of results.

Running the Test

You can now feed random values into testDistribution:

From fuzz tests (e.g. Foundry/Hardhat).
From a real randomness source (e.g. block.prevrandao or Chainlink VRF).
From mock numbers you generate off-chain.

Over thousands of runs, you’d expect a fair randomness source to show a roughly even distribution across 1–6.

9. Conclusion: Building Trustworthy Applications

Secure randomness is fundamental to fair and trustworthy blockchain applications. While the deterministic nature of blockchains makes this challenging, proven solutions like Chainlink VRF and commit-reveal schemes enable truly random outcomes.

Key Takeaways:

Block variables are never secure for valuable applications
Chainlink VRF provides production-ready, provably fair randomness
Commit-reveal offers decentralized randomness with UX trade-offs
Always consider economic incentives for manipulation
Test thoroughly with adversarial scenarios

Ready to build provably fair applications? Try the Dice Game Challenge!

Want to learn more about blockchain security? Explore Flash Loan Exploits