Vulnerabilities

Weak Randomness

Weak randomness is predictable or manipulable randomness used for security-critical smart contract decisions.

If attackers can guess or influence the random value, they can choose when to play or how to win.

Weak Randomness Explained in Detail

Weak randomness happens when a contract uses predictable or influenceable data as randomness. Common examples include block timestamp, block number, previous block hash, sender address, or pool state.

On-chain data is visible before execution or can be influenced by block builders, validators, users, or surrounding transactions.

Smart contract example

The result below is predictable and influenceable:

uint256 roll = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;

A player can choose when to call. A validator may also influence timestamp within protocol limits.

Weak Randomness in Auditing

Weak randomness affects lotteries, NFT mints, games, raffles, validator selection, reward distribution, and liquidation ordering. It often combines with MEV, front-running, or weak commit-reveal design.

Red flags in code

  • Randomness uses block.timestamp, block.number, blockhash, msg.sender, or tx.origin.

  • Users can retry until they get a favorable outcome.

  • Randomness is generated and consumed in the same transaction.

  • Low-entropy salts or predictable seeds.

  • Random result controls value distribution or privileged selection.

How to test or review it

  • Identify who can observe, influence, or delay the entropy source.

  • Test repeated calls, delayed calls, and transaction ordering changes.

  • Check whether users can abort unfavorable outcomes.

  • Prefer verifiable randomness, commit-reveal with penalties, or delayed settlement where appropriate.

  • Review whether oracle manipulation can affect any value used as entropy.

Sources