When Arseny Reutov, a web application security specialist at Positive.com, set to test out potential attack points in games of chance that run on the Ethereum blockchain, he expected to find some flaws in the system, maybe.

What he didn’t expect was that half of what he tested had vulnerabilities that could be exploited to do what rarely can be done in a physical casino: beat the house.

“I thought that the security of random number generators should be much higher,” Reutov said. Reutov presented these findings at OWASP AppSec California in January and PHDays 2018 last month.

Hacking the Number Generator

The Ethereum blockchain is used for initial coin offerings, but it started as a platform and is still used as one for what are known as distributed applications (Dapps). That’s why gambling applications for lotteries, roulette and card games use the platform. Those Dapps rely on pseudo-random number generators (PRNG) to create the chance part of those games.

Attackers were able to manipulate the results or know the results before the rest of the players did.

Reutov’s team collected 3,649 smart contracts from etherscan.io and Github, which are both popular sources for smart-contract source code. They used the Kibana web UI to search and filter out 72 unique PRNGs, and then the group manually tested each.

Out of those 72 PRNGs, the team found that 43 – more than half – were vulnerable. Attackers were able to “predict the future,” he said, and either manipulate the results or know the results before the rest of the players did.

Ethereum Woes

This is not the first time Ethereum has been in the spotlight. In November, an Ethereum user stumbled upon a vulnerability and locked users out of Parity wallets holding an estimated $150 million. At a keynote presentation at the Financial Cryptography and Data Security 2018 conference in March, VMware researcher Dahlia Malkhi called Ethereum’s Casper protocol upgrade “fundamentally vulnerable.”

Reutov doesn’t necessarily see these Ethereum incidents as connected. Instead, he hopes his findings point out flaws in the PRNG system and taken into consideration by PRNG developers. “I’d hope that for [developers], this research would be helpful in terms of creating their PRNGs in a more secure way,” he said.

Jen A. Miller
Jen Miller's writing has appeared in The New York Times, Washington Post, CIO and Buzzfeed.