Predicting Random Numbers in Ethereum Smart Contracts
Arseny Reutov at AppSec California 2018
Smart contracts are not only about ICOs - various lotteries, roulettes and card games are implemented in Solidity and can be played by anyone on the Ethereum blockchain. Autonomy of the blockchain limits the sources of entropy for random number generators. There is no common library that could help developers to create secure RNGs either. That is why it is very easy to mess things up when implementing your own random number generator.
The talk features the analysis of the gambling smart contracts on the blockchain. As you will see many of them failed to implement a secure RNG which allows to predict the outcome and steal significant sums of money. At the talk the examples of wrong RNG implementations found in the wild will be demonstrated. The attendees will also learn how to spot problems in RNGs as well as how to build a secure random number generator under blockchain limitations.
About Arseny Reutov - Positive Technologies Ltd
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Application Security Research at Positive Technologies Ltd where he specializes in penetration testing, the analysis of web applications, and, more recently, smart contracts audit. He is the author of research papers and blog posts on security of PRNGs in PHP published in such magazines as Hacker (Xakep) and HITB as well as in his blog raz0r.name. He was a speaker at ZeroNights, CONFidence, PHDays and OWASP conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.
The talk features the analysis of the gambling smart contracts on the blockchain. As you will see many of them failed to implement a secure RNG which allows to predict the outcome and steal significant sums of money. At the talk the examples of wrong RNG implementations found in the wild will be demonstrated. The attendees will also learn how to spot problems in RNGs as well as how to build a secure random number generator under blockchain limitations.
About Arseny Reutov - Positive Technologies Ltd
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Application Security Research at Positive Technologies Ltd where he specializes in penetration testing, the analysis of web applications, and, more recently, smart contracts audit. He is the author of research papers and blog posts on security of PRNGs in PHP published in such magazines as Hacker (Xakep) and HITB as well as in his blog raz0r.name. He was a speaker at ZeroNights, CONFidence, PHDays and OWASP conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.