When Arseny Reutov, a web application security specialist at , set to test out potential attack points in games of chance that run on the Ethereum blockchain, he expected to find some flaws in the system, maybe.
Hacking the Number Generator
The Ethereum blockchain is used for initial coin offerings, but it started as a platform and is still used as one for what are known as distributed applications (Dapps). That’s why gambling applications for lotteries, roulette and card games use the platform. Those Dapps rely on pseudo-random number generators (PRNG) to create the chance part of those games.
Attackers were able to manipulate the results or know the results before the rest of the players did.
Reutov’s team collected 3,649 smart contracts from and which are both popular sources for smart-contract source code. They used the to search and filter out 72 unique PRNGs, and then the group manually tested each.
Out of those 72 PRNGs, the team found that 43 – more than half – were vulnerable. Attackers were able to “predict the future,” he said, and either manipulate the results or know the results before the rest of the players did.
This is not the first time Ethereum has been in the spotlight. In November, an Ethereum user stumbled upon a vulnerability and t a keynote presentation at the conference in March, VMware researcher Dahlia Malkhi
Reutov doesn’t necessarily see these Ethereum incidents as connected. Instead, he hopes his findings point out flaws in the PRNG system and taken into consideration by PRNG developers. “I’d hope that for [developers], this research would be helpful in terms of creating their PRNGs in a more secure way,” he said.