Skip to content
Last updated: February 09, 2026

SCWE-024: Weak Randomness Sources

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Weak randomness sources refer to the use of predictable or insecure sources of randomness, such as block timestamps or block hashes. This can lead to: - Exploitation of the contract's logic. - Loss of funds or data. - Reduced trust in the contract's security.

Remediation

  • Use secure randomness: Leverage secure randomness sources like Chainlink VRF.
  • Avoid block variables: Do not rely on block timestamps or hashes for randomness.
  • Test thoroughly: Conduct extensive testing to ensure randomness is secure.

Examples

  • Weak Randomness 

    pragma solidity ^0.8.0;

contract WeakRandomness {
    function generateRandomNumber() public view returns (uint) {
        return uint(keccak256(abi.encodePacked(block.timestamp, block.difficulty))); // Insecure: post-merge use block.prevrandao; both are insecure for value-at-stake randomness
    }
}

  • Secure Randomness ```solidity pragma solidity ^0.8.0;

import "@chainlink/contracts/src/v0.8/VRFConsumerBase.sol"; // Note: Chainlink VRF V1 is deprecated; use VRF V2 (VRFConsumerBaseV2) in production

contract SecureRandomness is VRFConsumerBase { bytes32 internal keyHash; uint256 internal fee; uint256 public randomResult;

    constructor(address vrfCoordinator, address linkToken, bytes32 _keyHash, uint256 _fee)
        VRFConsumerBase(vrfCoordinator, linkToken) {
        keyHash = _keyHash;
        fee = _fee;
    }

    function getRandomNumber() public returns (bytes32 requestId) {
        require(LINK.balanceOf(address(this)) >= fee, "Not enough LINK");
        return requestRandomness(keyHash, fee);
    }

    function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {
        randomResult = randomness;
    }
}
```