
Predicting Random Numbers in Ethereum Smart Contracts - alexlash
https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620
======
jashmenn
If this sort of thing interests you, checkout Dfinity's random beacons - They
use threshold cryptography (think of it as a type of "multisig") to solve the
commit-reveal problem (where the last party to reveal their commitment can
abandon, so they have an advantage).

They build on it to create a provable, deterministic source of randomness
which can't be exploited in this same way.

Here's a video that goes into more detail:
[https://www.youtube.com/watch?v=xf1dql4Zoqw](https://www.youtube.com/watch?v=xf1dql4Zoqw)

~~~
tfha
There's a general class of crypto for solving this problem called a VRF.
Algorand also has a very clever way to solve the randomness problem, including
a method to foil an attacker that is even able to get lucky repeatedly.

~~~
warkdarrior
Did you mean Verifiable Random Functions (VRFs)?

~~~
tfha
I did, thanks

------
baby
That is a really really interesting post. I always figured that these were
only exploitable from a miner's point of view, but no! Creating a contract
that will access the same randomness and THEN query the targeted contract will
work, since they both happen in the same block hence the randomness will be
the same.

~~~
AgentME
Yeah, I used this trick to empty out a few tens of dollars worth of Ethereum
from a few naively-coded roulette contracts that were sitting around with a
little money left in them.

Say a contract exists in the blockchain that owns a little bit of ether and
has code so that if you send it a certain amount of money, it does some magic
to randomly determine whether to send you more money back. I found a few
contracts like that. All I had to do was code a contract that would send money
to the target contract, check its own balance (to see if it won some money
from the target), and then abort the entire transaction if its own balance
isn't greater than it started with. The code was really simple:
[https://gist.github.com/AgentME/d4cc6aa355900853b8ede3a84b10...](https://gist.github.com/AgentME/d4cc6aa355900853b8ede3a84b10ad68)

("Tens of dollars" was in present prices. I assume it was an even tinier
amount of money when the creator or previous users put the money in. I think
there's multiple interesting moral problems here: if you decide to ignore any
"code is law" notions about Ethereum and call what I did as stealing, is the
crime lessened by the fact that they thought it was worth even less when they
put it into the contract? Also, who exactly did I steal from? The users who
put the money into the contract believed they had gambled it away. Does it
make a difference if they believed that money was going into an un-owned pot
to be winnings for the next person? Do I count as a "winner", since I did
claim it in a way it was coded to accept? ... Maybe a related problem: If
someone doing some kind of art/performance statement purposefully hid money
underground in a random place on public property unlocked, unmarked, and
location unknown to themselves such that they thought no one else or even
themselves could ever find it, and then I find it with x-ray goggles and take
it, am I stealing?)

~~~
temp-dude-87844
The questions of morality are largely orthogonal to questions whether
surrounding institutions have strategies to address behavior considered
'problematic'.

In the overworld, we have institutions which continuously interpret, enforce,
refine, and revise both the letter and the spirit of contracts and law.

Ethereum developers and VIPs have already shown that they'll use hard forks to
steer the community towards their preferred direction, and individuals will
have to decide which chain to pursue. Since your actions are small beans and
unlikely to prompt the Ethereum decision makers to reverse these transactions,
you and others can likely keep doing such things in the future, and those
affected will have little choice but to accept it.

~~~
drdeca
Ok, but their question was morality, not what will be enforced, so, I'm not
sure why you are bringing up what will be enforced?

~~~
AgentME
I think they are interestingly intertwined questions. If something happens
that's egregiously morally out of bounds, then people will find or create ways
to enforce against it. From the other angle, existing enforcement mechanisms
will impose themselves as trying to define what moral is. In a way, besides
the little selfish gains, I may be fatalistically trying to define "code is
law" as moral because it is what I am presently capable of enforcing. Maybe
I'm just talking myself in a circle; it's good fuel to ruminate on.

~~~
BraveNewCurency
> If something happens that's egregiously morally out of bounds, then people
> will find or create ways to enforce against it.

I think you left out "and a lot of money is involved". Do you think there
would have been an emergency hard fork if the DAO only had $100 in it? I
sincerely doubt it.

> existing enforcement mechanisms will impose themselves as trying to define
> what moral is.

Morality and Law (code or not) are different things. You can't code morality -
you can only encode the programmer's morality. (Which is not the same thing,
because the programmer can change his/her mind.)

------
deegles
It's too bad it's not possible to store a secret in a contract (as far as I
know). It would be interesting to store a private key that would be revealed
only after a certain block number (let's say calculated to be 10 years in the
future) as a sort of time capsule for files.

~~~
rocqua
Considering that the entirety of the blockchain is public, its impossible to
actually put secrets into a smart-contract. You have to make the data
available to all nodes that are actually running the smart contract data.

An interesting approach to solving this is homomorphic encryption. This allows
for alice to give Bob to encrypted numbers A and B. Bob can then compute an
encrypted version of A + B using only the encrypted versions of A and B. This
could be used by putting an encrypted secret on the blockchain, after which
everyone can compute using that secret, but cannot see the actual outcome.

This still won't help with random number generation though, because it remains
deterministic.

~~~
baby
I don't see how HE helps, but I've heard of VRF (verifiable random functions)
and I think there is something there to do.

~~~
shadowfiend
The Dfinity team ([https://dfinity.org](https://dfinity.org)) is using
something like this to underly their blockchain implementation: they use
threshold BLS signatures with groups of nodes to sign previous chain states
and still be resilient against misbehavior and network intermittence. The
signatures are random, but their correctness can be verified once they have
been published.

To support our secure key storage work, we'll be bringing a random beacon
built on similar core concepts to the Ethereum chain for Keep.

------
adamnemecek
Isn't Elasticsearch an extreme overkill for 3500 contracts?

~~~
Groxx
Almost definitely, but it's probably the only real option to feed data to a
rich filtering / display UI like Kibana, for easier exploration. Probably
worth the effort if you know how to do it.

------
loverofthings
Well, let's ignore the reuse of the seeds, let's focus on generating random
numbers in a range 0-N using a uniform random generator that gives numbers
from 0-M where M >= N.

Code snippets shown use modulus (x % (N+1)) to accomplish that. This will
result in the numbers not at all uniformly distributed.

Of course, the differences in probability aren't that huge but the contracts
are mathematically not fair.

    
    
        import numpy as np
        n, m = 2, 20
        binc = np.bincount(np.random.randint(0, m, size=20000000) % (n+1))
        print 1.0*binc/sum(binc);
        [0.3501464 0.3497516 0.300102 ]
    

When we're generating 0-2, from 0-20, we get 0 and 1 more often than 2.

------
tehlike
Relevant thread wrt rng in smartcontracts:
[https://news.ycombinator.com/item?id=16281347](https://news.ycombinator.com/item?id=16281347)

------
johntb86
What use cases are there for random numbers in smart contracts? From the
article, it seems like gambling is the main use.

~~~
nopit
Gambling is pretty much the only use for smart contracts in general.

~~~
nym
Supposedly, this is a 51.96 billion market globally.

[https://www.statista.com/statistics/270728/market-volume-
of-](https://www.statista.com/statistics/270728/market-volume-of-) online-
gaming-worldwide/

