Skip to main content

Insuficciently random values

What it does

Checks the usage of block_timestamp or block_number for generation of random numbers.

Why is this bad?

Using block_timestamp is not recommended because it could be potentially manipulated by validator. On the other hand, block_number is publicly available, an attacker could predict the random number to be generated.


#[ink(message, payable)]
pub fn bet_single(&mut self, number: u8) -> Result<bool> {
let inputs = self.check_inputs(36, 0, 36, number);
if inputs.is_err() {
return Err(inputs.unwrap_err());

let pseudo_random: u8 = (self.env().block_number() % 37).try_into().unwrap();
if pseudo_random == number {
return self
.transfer(self.env().caller(), self.env().transferred_value() * 36)
.map(|_| true)
.map_err(|_e| Error::TransferFailed);
return Ok(false);

Avoid using block attributes like block_timestamp or block_number for randomness generation, and consider using oracles instead.


The detector's implementation can be found at this link.