Here no survivors: original sin and redemption blockchain random number

 Here no survivors: original sin and redemption blockchain random number

The value of carbon chain (ID:cc-value). Author: Li paintings, the daily planet authorized forwarding.

Random number generation is not to do the task should be left to the human. Mads Haahr

The blockchain world is not a true random number, but a random number is the soul of the blockchain game, at least at the present stage.

So, when the pseudo random number to DApp after the first blood flow, DApp was unable to arm to survive. Potential hackers like bloodthirsty sharks, the smell smell quickly gathered, the siege has a natural defect.

Luckyos, EOS.WIN, DEOSBET, FairDice, EosRoyale, EOSDice, FFGame…… The popular DApp game has been attacked, and facing a crisis of life and death by the random number of vulnerabilities. “No attacked random number all feel shy say that they do is DApp, the developers at such.

We interviewed Johan slow fog technology security researcher DApp random number has been concerned about the vulnerability, and the problem of code details Consulting Senior DApp development engineer to gold, through this article, showing a random number of past and present, sin and redemption.

Original sin: computer world there is no true random number

True random number only exists in the physical world, such as a roll of the dice, such as electronic components of the noise.

The random number generator is one of the earliest of the dice, as early as 2600 BC, humans have used four dice throwing game play, so far, it is still the method of generating random numbers is the most trusted.

 Here no survivors: original sin and redemption blockchain random number

But the dice can’t meet the requirements of random number of the modern world, so in 1995, RAND launched the “million” (“A Million random numbers Random Digits with 100000 Normal Deviates”). RAND first through the random pulse generator to generate a large number of random numbers, then these figures set up random digital books, free for people to use.

This book is an important work in the field of random number in twentieth Century, is the first time in human history to produce such a large number of high quality, random number.

 Here no survivors: original sin and redemption blockchain random number

At the same time, Alan Turing in the computer Ferranti Mark 1 for the first time in the built-in random number generation instruction, using thermal noise can generate 20 random bits. 1999, Intel further, integrated true random number generator chip chip in the i810 group (TRNG), the random number generated by the local thermal noise source.

 Here no survivors: original sin and redemption blockchain random number

However, TRNG can only produce limited random bits per second, random number generation speed is low, the working frequency of the limited software, but TRNG is very sensitive to external interference, requires a lot of power to avoid non pollution random signal of the signal source.

Pseudo random number came into being. Von Neumann created the first pseudo random number generator (PRNG), by giving a certain random number seed, determined by the algorithm in each random number sequence is generated in the same. As long as the seed number sequence unchanged, the pseudo random number will not change.

Since then, guess the random number will become the conventional seed crack attacks by hackers, which proved to have good quality and not easy to be overcome hard to find seeds. But even so, for the sake of efficiency, the computer software will have to rely on pseudo random number.

In the current programming language, C++, R, Python, Ruby and PHP are using the Mason rotation algorithm (Mersenne Twister) as a pseudo random number generation method by default, by Matsumoto Masawa who invented in 1997 Nishimura extension.

Mason rotation algorithm the register time or before the state as seed source, through the linear feedback shift register is input to the shift rotation cycle for a Mason prime. Pseudo random number generated by the algorithm is good quality, fast production speed.

The seed source of the pseudo random number can also be a true random number: CPU TRNG by constantly generating random numbers, and true random number stored in the entropy pool, when the software need to use a random number, from the entropy pool from true random number seed as input to the PRNG, get the pseudo random number sequence by PRNG.

The block chain does not support the generation of random number

Pseudo random number generation algorithm of the traditional physical state with more or less single machine or operation state, different machines, or different nodes have different results, this is not feasible in the block chain. Block chain is a distributed system, it requires each node of the computation results can be validated and consensus.

Block chain need to start from zero random number law of new design, so as to realize intelligent contract on different nodes can use the same number.

There are three kinds of ways to solve. The first is to provide a random number for the trusted third party contract; the second is to achieve a pseudo random number generator based contracts, random number consistent for other contracts; the third is that all nodes in the contract can be collected to the same seed, calculated by pseudo random algorithm of the same sequence of random numbers.

The first way is the biggest defect to the introduction of third party. The third party is worthy of trust, can offer high quality random numbers are a problem. In addition, the blockchain is wary of the center, and the third party to some extent is the center of this, and some DApp developers do not conform to the concept of.

In the etheric Fang, Oraclize is a random number for third-party node chain. Oraclize is an oracle, independent of the block chain system, send intelligent contract request to Oraclize Oraclize when listening to the chain related request, generates a random number and returns the blockchain.

 Here no survivors: original sin and redemption blockchain random number

The second method is the most consistent with the blockchain spirit, is a pseudo random number generator different participants to generate random numbers, but it involves the design problem of the incentive mechanism, and control the cheating problem.

The RANDAO that is used in this way, it is in the form of intelligent packaging contract business logic pseudo random number generation algorithm and the corresponding random number, to provide services for the etheric Fang, anyone can participate in the formation of RANDAO random number.

In the random number generation cycle, each of the participants are required to submit a number, and from all the participants of the digital collections will be generated pseudo random number as a seed, because do not know others to provide seeds, this method produces results difficult to be cracked. Intelligent contract can request a random number to RANDAO, but need to pay bonuses to generate random numbers of participants.

 Here no survivors: original sin and redemption blockchain random number

In third ways, the random number is not from the introduction of the contract outside, but the information block chain as a seed, the smart contracts generate pseudo-random numbers according to the seed. This approach is the biggest once a hacker knows the random number generation algorithm, can also get the right seeds, can be easily launched on Intelligent contract random attack.

Different from the traditional seed pseudo random number generation algorithm in privacy, block on the chain of seeds is almost “transparent”: it is on the chain block information, intelligent contracts on all nodes can take, so in principle, for hacker attacks by malicious contracts also can obtain these values.

However, because of the lack of a random number of mature providers, as well as the pursuit of the center of the random number of alert, in the chain of autonomy, through the intelligent calculation method of random number contract is still the preferred number of DApps EOS, which is the reason why the DApps in hacker crisis.

Attack: one foot in mind

FFGAME may be DApp, the game is not the formal operation of the history of the most unlucky attacked. Hackers quickly cracked the random number, and then continue to win the game, easy to take the FFGAME platform into the initial assets in the game, 1332 EOS. FFGAME is not ready to meet the enemy, the gate has been lost.

In the DApp battle, attackers usually have two ways to use the random number stolen assets.

The first method is to obtain the random number seed right, calculated by the pseudo random algorithm game results, then according to the results of bet, guarantee 100 per cent winning.

The second method is to know the pseudo-random algorithm and seed source, by changing the value of seed for the pseudo-random algorithm to calculate their bets on the outcome of the game, so as to ensure 100 per cent winning.

EOSDice is a hacker with the first method after the break, the modified pseudo random number algorithm, and then the hackers use second methods to break the DApp. However, it is commendable that EOSDice is also a broken two times but still adhere to the open source EOS game.

 Here no survivors: original sin and redemption blockchain random number

EOSDice was the first time the attack occurred in 11 4 April morning 3:15, the attacker is jk2uslllkjfd, about 2500 EOS were stolen and transferred to the fire coins.

The random seed using pseudo random number generation algorithm in EOSDice is: tapos_block_prefix (tapos_block_num); (name); (game_id);; current_time (pool_ol_eos.amount). The seeds after 4, that is, account name ID, lottery time, contract balance are relatively easy to obtain, the safety of the random number mainly depends on both the seed, which is reference block information.

In the real-time lottery mechanism of EOSDice, action reference block is “the execution of the current action on a block in the default state, the block already exists, the information can be obtained in advance. Therefore, the hacker can use seed previously calculated results, then bet.

 Here no survivors: original sin and redemption blockchain random number

EOSDice in the real time after the attack was changed to asynchronous delay lottery lottery, and re launched operations. Only two attacks happen soon, on November 10th at 11:19 in the morning, the attacker to steal account named coinbasewa11 was about 4900 EOS, and transferred to the bitfinex.

In an asynchronous delay lottery mechanism, pointing to reference block changes. Action reference block is in the lottery betting is not generated by the block, its information is difficult to obtain in advance, can not calculate the first game results.

But hackers plan a new method: first, let the attack contract EOSDice simulation game contract, as long as two contracts run in the same block, will take to the same seed, compute the same result; then, because the EOSDice pseudo random seed algorithm including the account balance, hackers can attack in numerical contract a and modify the balance to change the seed and then change the operation result, until it finally meets the conditions of his last bet; through the calculation of “crash” “right” account balance, hackers only need to be transferred to the real game contract account calculation of good EOS, can ensure that the lottery will win.

 Here no survivors: original sin and redemption blockchain random number

Salvation: there is no best, only better

The chain of random number problem is not the perfect solution. Block chain is not only a true random number, even the traditional pseudo random numbers are not.

Random number generation method using EOS official in the example is similar to the second in this discussion as seed collection of private data of different participants, pseudo random number generation is difficult to predict.

In the case of Dice, and the dealer need to generate a key game player, the key to the first chain, the time to submit their own private key, as a seed to generate random numbers, and then by the random number to determine the lottery results. This is probably the most secure way of pseudo random number generation, but it is to the game player adds extra and not easy operation, improves the game threshold, in reality has not been widely adopted.

Answer BM random number security issues in the EOS developer group, proposed a “trust block producer” program, that is to say some information for a specific time for the next block producer in the package deal into a pseudo random number. Although the problem is solved in the chain, but this method is closer to the first way to this discussion — from a center of the third party to provide a random number, although it is difficult to be cracked, but not necessarily a trusted provider.

Keep on fighting on the EOS DApp developers usually use a third above – chain data acquisition intelligent contract as seed, their pseudo random number generation.

After a confrontation with hackers several times, the lottery mechanism of DApp is the most commonly used “controllable does not set the two delay lottery + seed variable”.

The real-time lottery mechanism, reference block is a block, which can be the seed data before the lottery is acquired by hackers; and the two time delay reference lottery, block is also not generated seed blocks, data which is difficult to predict, will not be able to calculate in advance the hacker lottery results. The seed does not set the controllable variables will ensure that the hacker can to control the lottery results by changing the value of seed.

However, even so, the “two delay lottery + seed does not set the variables” cannot guarantee absolute security contract random number, can only be said to have not been hacked at the present stage of this method is relatively safe. After all, no matter with several delay, the lottery contract can obtain seed, attack can also be a contract, the chain of seed is “fair”, “transparent”.

How to minimize the damage caused by the random number of attacks in this imperfect situation, slow fog team gives some practical suggestions:

With more than 1. contract review from the perspective of the attacker.

2. attackers usually by malicious attacks on the end of the contract, contract can attack the random number from what angle.

Security and pseudo random number generation algorithm of 3. random numbers, is also related to the lottery mechanism, algorithm and mechanism to design.

4. pseudo random number generation algorithm not predictable and controllable into seed seed, avoid the results predicted or has been tampered with.

5. understand the random number block on the chain and the traditional random number difference.

6. safety audit. Do safety audit in the project on-line and open source, known vulnerabilities can be found, unknown vulnerabilities can also through risk control mechanisms to minimize the harm.


“In the random number generation in all things, I don’t think what can go beyond the dice,” Francis Galton wrote in the 1890 years of “nature” in this magazine.

But the dice will never meet the demand of computer application, once you want to use a random number in the binary world, we need to make compromises to expose themselves in danger of hackers.

Block chain world special needs us to make more concessions. Because, because, because transparent distributed autonomous Alert Center and desire in the chain, chain blocks, no true random number, and will never have the absolute safety of random number.

The random number is brought about by a perpetual battle between developers and hackers. The random number will be resistant to all known types of attacks, but hackers may continue to find new ways to attack. Here no survivors.

Leave a Reply

Your email address will not be published. Required fields are marked *