Smart Contract / Weak Sources of Randomness from Chain Attributes
Description
Weak Sources of Randomness from Chain Attributes (CWE-330) is a vulnerability that affects Smart Contracts. This vulnerability occurs when a smart contract uses weak sources of randomness such as the block number, chain ID, or timestamp to generate random numbers or other chain attributes. The weakness of the randomness source may allow attackers to predict the outcome of the randomness and gain a financial or other advantage. The Common Weakness Enumeration (CWE) directory provides further information on this vulnerability and its impact on Smart Contracts. Additionally, the OWASP Testing Guide provides descriptions of the types of attacks that can be used to exploit this vulnerability.
Risk
This vulnerability is considered to be a High risk. An attacker can take advantage of the weak sources of randomness to predict the outcome of the randomness, allowing them to gain financial or other advantages over other users of the smart contract. Additionally, this vulnerability can be difficult to detect, as the cause of the issue may be buried in the code of the smart contract.
Solution
The best solution to this vulnerability is to use a secure source of randomness when generating random numbers. Sources of randomness such as random.org or random.org/strings are considered to be secure. Additionally, developers should use a secure source of randomness when generating other attributes such as the block number, chain ID, or timestamp. Doing so will ensure that the randomness generated is secure.
Example
Below is an example of code that is vulnerable to Weak Sources of Randomness from Chain Attributes (CWE-330). In this example, the smart contract is using the block number to generate a random value.
uint256 randomValue = block.number;
This code is vulnerable to Weak Sources of Randomness from Chain Attributes, as the block number is not a secure source of randomness. An attacker could predict the outcome of the random number by analyzing the block number.