on-chain randomness from block attributes is deterministic and manipulable by validators

# on-chain randomness from block attributes is deterministic and manipulable by validators Block attributes (`block.timestamp`, `blockhash`, `block.prevrandao`) are known or controllable by block producers. Validators (post-merge) know `prevrandao` before proposing the block and can also engage in [[frontrunning exploits public mempool visibility to insert competing transactions before profitable pending operations|frontrunning]] by choosing favorable transaction orderings. Chainlink VRF provides verifiable randomness via off-chain oracle with on-chain proof verification. VRF v2.5 replaced v1 and v2 on November 29, 2024. **Critical VRF implementation rules:** - `fulfillRandomWords()` must never revert; the service will not retry, permanently blocking the request - Store randomness in state first, take complex actions in subsequent calls - Never implement re-request or cancellation logic; re-requesting allows the provider to withhold unfavorable outcomes **Remaining VRF manipulation vectors:** - Block producers can order multiple in-flight fulfillments; if behavior depends on ordering, this is exploitable - Block reorgs produce different output; reorg-sensitive protocols must wait for sufficient confirmations Multi-oracle randomness distributes trust across multiple independent VRF providers but introduces oracle reliability risk as a compensating trade-off: if any oracle is unavailable, randomness cannot be fulfilled unless the protocol handles partial oracle failure gracefully. `blockhash(n)` is only available for the last 256 blocks; for any block number older than 256 blocks prior to the current head, `blockhash` returns zero. A contract that accepts a block number from a user and uses `blockhash` as a randomness source can be exploited by triggering the randomness resolution after 256 blocks have elapsed, at which point the source returns a predictable zero rather than a block hash. The entropy illusion is that developers treat block variables as "random enough" for low-stakes use, but any degree of predictability is exploitable when sufficient economic value depends on the outcome. On L2s, since [[L2 sequencer centralization creates systemic liveness censorship and regulatory risks]], the attack surface is larger: centralized sequencers have direct, exclusive control over block production, giving them more consistent ability to select favorable block attributes than probabilistic mainnet validators who must win block proposals. For contracts that cannot use VRF (synchronous execution requirements), since [[commit-reveal schemes prevent frontrunning by concealing transaction details until after ordering is fixed]], commit-reveal provides a partial mitigation: participants commit to their choices before the randomness is observable, preventing outcome-shopping based on known block attributes. --- Relevant Notes: - [[block timestamp manipulation within protocol bounds enables exploitation of time-dependent contract logic]]: timestamp manipulation as a specific instance of block attribute control - [[frontrunning exploits public mempool visibility to insert competing transactions before profitable pending operations]]: validators combine randomness manipulation with transaction ordering privileges - [[private visibility in solidity only restricts contract-level access while all on-chain data remains publicly readable]]: on-chain transparency enables both randomness prediction and frontrunning - [[commit-reveal schemes without msg.sender binding allow front-runners to copy commitments and claim the reveal reward]]: commit-reveal is the classic defense against frontrunning, but even correct commit-reveal schemes must bind the commitment to msg.sender to prevent commitment copying - [[commit-reveal schemes prevent frontrunning by concealing transaction details until after ordering is fixed]]: provides a synchronous-execution alternative to VRF by making participant choices unobservable before block attributes are fixed - [[L2 sequencer centralization creates systemic liveness censorship and regulatory risks]]: centralized L2 sequencers amplify the block attribute manipulation attack surface beyond what probabilistic mainnet validator selection allows Topics: - [[vulnerability-patterns]]