EVM Threat Models

0x44-PREVRANDAO

23 min read

Opcode Summary

PropertyValue
Opcode0x44
MnemonicPREVRANDAO (was DIFFICULTY pre-Merge)
Gas2
Stack Input(none)
Stack Outputblock.prevrandao (uint256, the RANDAO mix from the beacon chain’s previous block)
BehaviorPost-Merge (Paris, EIP-4399): pushes the RANDAO accumulator value from the beacon chain onto the stack. The mixHash field in the block header is repurposed to carry the latest RANDAO mix of the previous block’s post-beacon state. Pre-Merge: this opcode was DIFFICULTY and returned the proof-of-work block difficulty (a value in the range 0 to ~2^64). Post-Merge values span the full 0 to 2^256 range, providing a detection mechanism — values > 2^64 indicate a PoS block.

Threat Surface

PREVRANDAO provides smart contracts with access to the beacon chain’s RANDAO accumulator — a value derived from the XOR of BLS signatures contributed by each slot’s proposer over an epoch. It is the closest thing to an in-protocol randomness source available to the EVM, but it is not cryptographically secure randomness. The threat surface is fundamentally shaped by three properties:

  1. The block proposer knows PREVRANDAO one full epoch in advance. Ethereum’s beacon chain determines the proposer schedule for each epoch (~6.4 minutes, 32 slots) at the start of that epoch. The proposer for slot N can compute block.prevrandao for slot N before producing the block, because the RANDAO mix is an XOR accumulation of all prior reveals. Any contract that uses PREVRANDAO for high-value randomness (lotteries, NFT reveals, random selection) gives the proposer a look-ahead window to precompute outcomes and decide whether to participate.

  2. Proposers can bias PREVRANDAO by skipping their slot. A validator assigned to propose a block can choose not to propose (forfeiting their block reward and attestation income for that slot). By withholding their RANDAO reveal, they prevent their contribution from being XORed into the accumulator, effectively choosing between two possible RANDAO values: the one with their reveal and the one without. This gives a single proposer a 1-bit bias per skipped slot. Validators with multiple consecutive slots can compound this bias exponentially — N consecutive slots yield up to 2^N possible RANDAO outcomes.

  3. PREVRANDAO replaced DIFFICULTY at The Merge, breaking existing contracts. Pre-Merge, opcode 0x44 returned block.difficulty, a value in the range ~2^50 to ~2^54. Post-Merge, the same opcode returns a full 256-bit RANDAO mix. Contracts that performed arithmetic, range checks, or comparisons on block.difficulty assuming it was a small integer broke silently at The Merge. Contracts using block.difficulty as part of a randomness scheme continued to function but with entirely different (and still insecure) entropy characteristics.

  4. L2 PREVRANDAO semantics diverge significantly. On OP Stack chains (Optimism, Base), block.prevrandao returns the L1 PREVRANDAO value at the current L1 origin block — not an L2-native randomness source. On Arbitrum, the value is sequencer-controlled and has been a subject of active research to bridge L1 RANDAO values. Contracts deployed across L1 and L2s that depend on PREVRANDAO will encounter different update frequencies, different trust assumptions, and potentially static or predictable values.

Smart Contract Threats

T1: Proposer Bias Attack — 1-Bit Influence per Skipped Slot (High)

The block proposer can influence the PREVRANDAO value by choosing whether or not to propose their assigned block. Each decision gives them a binary choice over the RANDAO accumulator’s next state:

  • Single-slot bias. A proposer assigned to slot N knows the RANDAO mix after slot N-1. They can compute two possible values for the mix after slot N: one where they reveal (XOR their BLS signature) and one where they skip. If one outcome is more favorable (e.g., wins a lottery, mints a rare NFT), they skip or propose accordingly. The cost of skipping is the forfeited block reward (~0.05 ETH in priority fees + attestation rewards), which is trivial compared to high-value randomness-dependent outcomes.

  • Multi-slot proposer runs. When a validator (or a coordinated group of validators) holds multiple consecutive proposer slots, the bias compounds exponentially. With N consecutive slots, the attacker can choose from up to 2^N possible RANDAO outcomes. Research from 2024 quantifies this: an adversary controlling 5% of stake can propose 5.048% of rounds (vs. the expected 5%), and 20% stake yields 20.68% — a measurable but bounded advantage. The real danger is in the tail: rare multi-slot runs by a single entity provide outsized influence on the RANDAO for those specific epochs.

  • Economic calculus. For a lottery with a 100 ETH pot, a proposer who can choose between two outcomes (1-bit bias) doubles their expected value compared to a fair coin flip. Skipping a slot costs ~0.05 ETH in rewards. Any randomness-dependent contract with a payout exceeding the block reward creates a profitable bias opportunity.

Why it matters: PREVRANDAO provides a 1-bit bias to every block proposer for free (just propose or don’t), making it unsuitable for any application where the outcome value exceeds the block reward.

T2: Using PREVRANDAO for High-Value Randomness — Lotteries and NFT Reveals (Critical)

Using block.prevrandao as the sole or primary randomness source for high-value outcomes is fundamentally broken:

  • Proposer precomputation. The proposer knows block.prevrandao before their block is finalized. Any contract that resolves randomness in the same block as the proposer’s slot (e.g., draw() called in a transaction the proposer includes) allows the proposer to precompute the outcome and selectively include or exclude the transaction.

  • MEV searcher exploitation. In the PBS (Proposer-Builder Separation) model, builders construct blocks and know the PREVRANDAO value. MEV searchers can submit bundles that exploit PREVRANDAO-dependent contracts by computing outcomes before inclusion. The searcher knows the exact PREVRANDAO value for the target block and can front-run or back-run lottery draws, NFT reveals, or random selections.

  • Combinability with other block variables. Developers often combine block.prevrandao with block.timestamp, block.number, block.coinbase, and blockhash in a keccak256 hash, assuming the combination is unpredictable. But the block producer controls or knows all of these values before committing to the block, making the combined hash fully deterministic to the proposer.

  • Solidity compiler naming confusion. Solidity >= 0.8.18 introduced block.prevrandao as an alias for block.difficulty. For EVM versions before Paris, block.difficulty remains the canonical name. Developers who see prevrandao may incorrectly assume it provides cryptographic randomness, when it provides only a biasable beacon chain accumulator.

Why it matters: PREVRANDAO-based randomness in lotteries, gambling contracts, NFT trait generation, and random winner selection is exploitable by any block proposer. The OWASP Smart Contract Top 10 (SC08: Insecure Randomness) explicitly flags block.prevrandao/block.difficulty as insecure entropy sources.

T3: Predictability Within an Epoch (High)

The RANDAO accumulator is not refreshed per-block in an unpredictable way — it is an XOR chain of BLS signatures that advances deterministically once the set of proposers is known:

  • Epoch-level predictability. At the start of each epoch (32 slots, ~6.4 minutes), the beacon chain publishes the proposer schedule. From that point, any observer can simulate the RANDAO accumulation for each slot in the epoch, given the proposers’ public keys and the assumption that they will propose. The only uncertainty is whether a proposer will skip their slot.

  • Last-proposer advantage. The final proposer in an epoch has the maximum information advantage: they know all prior RANDAO reveals for the epoch and can choose whether to add their own. This gives the last proposer of an epoch the greatest bias over the epoch’s final RANDAO mix, which carries into the next epoch’s shuffling.

  • Same-block resolution is exploitable. Any contract that reads block.prevrandao and makes decisions in the same transaction (e.g., instant lottery draw) is fully predictable to the block producer. The PREVRANDAO value is fixed for the entire block — every transaction in the block sees the same value.

Why it matters: PREVRANDAO’s predictability window of ~6.4 minutes (one epoch) is far too long for any time-sensitive randomness application. Contracts that resolve randomness within a single block or epoch are vulnerable.

T4: L2 PREVRANDAO Semantic Divergence (Medium)

L2 chains implement PREVRANDAO with different semantics than Ethereum L1, creating cross-chain deployment hazards:

  • OP Stack (Optimism, Base). block.prevrandao returns the L1 PREVRANDAO value at the current L1 origin block. This means the value updates only when the L2 advances its L1 origin — not every L2 block. Multiple consecutive L2 blocks may return the same PREVRANDAO value, reducing entropy. The value is still derived from L1’s beacon chain, preserving its quality but not its freshness.

  • Arbitrum. Arbitrum has historically returned a fixed or sequencer-controlled value for block.difficulty/block.prevrandao. There is active research on bridging L1 RANDAO to Arbitrum, but the current implementation means PREVRANDAO may not provide meaningful entropy on Arbitrum. The centralized sequencer controls the value.

  • Other L2s and sidechains. On XDC Network, block.prevrandao returns keccak256(block.number), which is entirely deterministic and precomputable for every future block. Other chains may have similarly degraded implementations.

  • Cross-chain contracts. A contract deployed on L1 that relies on PREVRANDAO updating every 12 seconds will malfunction on an L2 where the value is stale, static, or sequencer-controlled. Contracts must check block.chainid and adapt behavior accordingly.

Why it matters: Multi-chain deployment is standard practice. Contracts using PREVRANDAO must account for radically different quality and freshness of the randomness across chains.

T5: Contracts Using DIFFICULTY That Broke at The Merge (Medium)

EIP-4399 repurposed opcode 0x44 from returning proof-of-work difficulty (~2^50 to ~2^54) to returning the full 256-bit RANDAO mix. This created silent breaking changes:

  • Range check failures. Contracts that validated require(block.difficulty > 0 && block.difficulty < 2**64) to ensure they were running on mainnet (not a test chain) broke at The Merge because PREVRANDAO values routinely exceed 2^64.

  • Arithmetic overflow/underflow. Contracts that used block.difficulty in arithmetic (e.g., scaling rewards by difficulty, computing mining-related metrics) produce nonsensical results with 256-bit RANDAO values. While Solidity >= 0.8.0 would revert on overflow, pre-0.8.0 contracts would silently wrap.

  • Difficulty-based branching. Some contracts used block.difficulty to detect network conditions (e.g., “if difficulty dropped, something unusual is happening”). Post-Merge, PREVRANDAO is unrelated to network conditions, making such logic meaningless.

  • PoS detection. EIP-4399 explicitly defines a detection mechanism: block.prevrandao > 2^64 indicates a PoS block. Contracts can use this to branch on pre-Merge vs. post-Merge behavior, but contracts deployed before The Merge without this check had no opportunity to adapt.

Why it matters: The Merge was a one-time event, but its breaking changes affected all contracts that used block.difficulty for anything other than randomness mixing. Unupgradeable contracts with difficulty-based logic remain broken on mainnet.

Protocol-Level Threats

P1: Proposer Bias Economics and Rational Behavior (Medium)

The RANDAO protocol assumes honest majority behavior — that proposers will always reveal their RANDAO contributions. But economically rational proposers will deviate when the benefit of biasing RANDAO exceeds the cost:

  • Cost of skipping. A proposer who skips their slot forfeits block rewards (~0.01-0.1 ETH in priority fees, plus attestation rewards). This is the “cost” of a 1-bit bias. For the vast majority of blocks, no application depends on PREVRANDAO with enough value to justify skipping. But when a high-value lottery draw, governance vote randomization, or validator shuffling occurs, the calculus changes.

  • Staking pool concentration. Large staking pools (Lido, Coinbase, Rocketpool) control significant portions of the validator set. A staking pool that controls 30% of validators will frequently have multi-slot proposer runs, amplifying their bias capability. While pool operators are unlikely to exploit this for individual smart contract outcomes, the capability exists and creates systemic risk for any protocol that relies on PREVRANDAO for validator selection or committee assignment.

  • No slashing for skipping. Ethereum does not slash validators for failing to propose a block. Inactivity leaks reduce balances over time for persistent non-participation, but a single strategic skip has negligible penalty. This asymmetry — low cost of skipping vs. potential high reward of biasing — is a fundamental weakness of RANDAO-based randomness.

P2: Multi-Slot Proposer Runs Amplify Bias Exponentially (High)

When a single validator (or coordinated group) holds consecutive proposer slots, their RANDAO bias grows exponentially:

  • N consecutive slots = up to 2^N choices. With 2 consecutive slots, the attacker can choose from 4 possible RANDAO outcomes (reveal-reveal, reveal-skip, skip-reveal, skip-skip). With 3 slots: 8 outcomes. The probability of a single validator getting N consecutive slots is proportional to their stake fraction raised to the Nth power, but even rare occurrences can be exploited for high-value targets.

  • Formal analysis (AFT 2024). Research published at the Advances in Financial Technology conference (2024) quantified optimal RANDAO manipulation bounds: an adversary with 10% stake can propose 10.19% of rounds (vs. the expected 10%), and with 20% stake, 20.68%. While these deviations seem small, they translate to measurable economic advantages in any system that uses PREVRANDAO for proportional selection.

  • RANDAO forking attack (2025). A newer attack variant identified by researchers involves validators selectively forking out honest proposers’ blocks (rather than simply withholding their own) to maximize RANDAO manipulation while maintaining chain liveness. This exacerbates the bias beyond what simple slot-skipping allows.

  • RANDAOtage. The “RANDAOtage” scenario (documented by Justin Drake) describes how an attacker with 1/3 voting power, combined with 1/3+ of validators experiencing temporary outages, can monopolize block production during outage periods and grind over RANDAO combinations to corrupt beacon chain committees.

Edge Cases

Edge CaseBehaviorSecurity Implication
Pre-Merge (opcode was DIFFICULTY)Returns proof-of-work difficulty, a value in the range ~2^50 to ~2^54 on mainnetContracts that hardcoded range checks on difficulty break post-Merge when the value jumps to 256-bit RANDAO outputs.
PREVRANDAO value known 1 epoch aheadProposer schedule is published at epoch start; each proposer can compute their slot’s PREVRANDAO before producing the blockAny contract that resolves randomness within a single block is fully predictable to the proposer. 6.4-minute look-ahead window.
PREVRANDAO == 0Theoretically possible but astronomically unlikely for a 256-bit hash outputContracts that check require(block.prevrandao != 0) as a validity check are safe in practice; the zero value should never occur post-Merge.
Same PREVRANDAO for all txs in a blockPREVRANDAO is a block-level value, not transaction-levelEvery transaction in the same block sees identical block.prevrandao. Cannot be used to differentiate between transactions within a block.
OP Stack L2s (Optimism, Base)Returns L1 PREVRANDAO at the current L1 origin blockValue may be stale across multiple L2 blocks; updates only when L1 origin advances. Reduced entropy freshness compared to L1.
ArbitrumSequencer-controlled; ongoing research to bridge L1 RANDAOMay return fixed or low-entropy values. Not a reliable randomness source on Arbitrum.
XDC NetworkReturns keccak256(block.number)Fully deterministic and precomputable for every future block. Zero randomness.
PoS detection via value rangeValues > 2^64 indicate post-Merge PoS executionUseful for contracts that need to detect whether they’re running pre-Merge or post-Merge. block.prevrandao > 2**64 is the canonical check.
DELEGATECALL contextReturns the same block.prevrandao as the parent context (block-level property)No change across delegatecall boundaries; PREVRANDAO is a block property, not a call-frame property.
Solidity version semanticsblock.difficulty (pre-Paris EVM target) vs. block.prevrandao (Paris+ EVM target); Solidity warns if the wrong name is used for the targetCompiler warnings may be suppressed or ignored, leading to confusion about whether the code targets pre- or post-Merge semantics.

Real-World Exploits

Exploit 1: SmartBillions Lottery — Predictable block.difficulty Drains 400 ETH (~$120K, October 2017)

Root cause: The SmartBillions lottery contract used block.difficulty, blockhash, and block.timestamp as randomness sources for determining lottery winners. All three values are known or manipulable by block producers.

Details: During SmartBillions’ official security hackathon in October 2017, two attackers independently exploited the lottery’s pseudo-random number generator. The contract computed lottery outcomes using a combination of block.difficulty, blockhash(), and block.timestamp — all of which are deterministic to the miner producing the block. The attackers could compute the winning lottery numbers in the same block as their bet transaction, since all underlying blockchain values are fixed within a single block. By deploying attack contracts that precomputed the random outcome and only submitted bets when the result was favorable, they extracted 400 ETH ($120K at the time). The vulnerability is classified as SWC-120 (Weak Sources of Randomness from Chain Attributes).

PREVRANDAO’s role: block.difficulty (the pre-Merge incarnation of opcode 0x44) was a key entropy input. Miners knew the difficulty before producing the block, making the lottery outcome fully deterministic to anyone with block production rights. Post-Merge, the same opcode returns PREVRANDAO, which is still known to the proposer in advance — the fundamental vulnerability persists with different mechanics.

Impact: 400 ETH (~$120K) drained during the hackathon. The exploit demonstrated the impossibility of secure on-chain randomness from block-level variables.

References:

Exploit 2: Fomo3D — Miner Block Stuffing Exploits Block-Variable-Dependent Game (~$3M, August 2018)

Root cause: Fomo3D relied on block-level variables (including block.difficulty and block.coinbase) for game logic, and a miner/player exploited block production control to manipulate outcomes.

Details: Fomo3D was a “last buyer wins the pot” game where a countdown timer reset with each key purchase. The attacker deployed contracts that checked block.coinbase and game state to determine when to activate a gas-consuming attack. The attack contracts conditionally consumed massive gas (up to 4.2M gas via assert() failures) to fill blocks and prevent other players’ transactions from being included. The attacker held the last key purchase while flooding approximately 11 consecutive blocks with gas-consuming transactions, preventing timer resets. The timer expired with the attacker as the last buyer.

The attack demonstrated that block producers (and well-funded players who can fill blocks) will actively manipulate block-level variables when sufficient value is at stake. While block.difficulty was not the primary attack vector, the attack contract used it as part of its conditional logic for determining favorable block conditions.

PREVRANDAO’s role: block.difficulty was one of several block-level variables the attack contracts evaluated to decide when to activate. The broader lesson is that all block-level variables — including the post-Merge PREVRANDAO — are controlled or known by the block producer and should not be trusted for adversarial game-theoretic contexts.

Impact: ~$3M (10,469 ETH) jackpot stolen. Established the precedent that block producers are active adversaries for any contract logic that depends on block-level variables.

References:

Exploit 3: On-Chain Gambling DApps — Systematic Exploitation via Predictable block.difficulty (2017-2019, Recurring)

Root cause: Dozens of on-chain gambling, lottery, and gaming DApps used block.difficulty (often combined with block.timestamp, block.number, and blockhash) as randomness sources. Miners and MEV-aware bots precomputed outcomes.

Details: During 2017-2019, a pattern of exploitation emerged against gambling DApps that used code like:

uint256 random = uint256(keccak256(abi.encodePacked(
    block.difficulty, block.timestamp, block.coinbase, block.number
)));

Attack contracts deployed alongside the gambling contracts would compute the “random” outcome in the same transaction (since all block variables are fixed within a block) and only participate when the outcome was profitable. Miners could go further — they could choose whether to include or exclude transactions, or even skip blocks entirely, based on precomputed outcomes. Multiple gambling contracts were systematically drained by attackers who treated the “randomness” as a fully deterministic function.

Security audits from 2022-2023 found that approximately 15% of audited smart contracts still contained insecure randomness patterns using block-level variables, indicating the problem persists in the post-Merge era with PREVRANDAO.

PREVRANDAO’s role: block.difficulty (now PREVRANDAO) was the most commonly used entropy source in these vulnerable contracts. The OWASP Smart Contract Top 10 (SC08: Insecure Randomness) explicitly lists block.difficulty/block.prevrandao as an insecure randomness source.

Impact: Cumulative losses across dozens of DApps in the hundreds-to-thousands of ETH range. Led to the adoption of Chainlink VRF and commit-reveal schemes as industry-standard randomness solutions.

References:

Exploit 4: The Merge Breaking Changes — DIFFICULTY-Dependent Contracts Silently Broken (September 2022)

Root cause: EIP-4399 repurposed opcode 0x44 from returning proof-of-work difficulty to returning the 256-bit RANDAO mix, breaking contracts that assumed block.difficulty was a small integer.

Details: At The Merge (September 15, 2022), every smart contract that read block.difficulty instantly began receiving PREVRANDAO values instead. The Ethereum Foundation’s pre-Merge advisory identified several categories of affected contracts:

  • Contracts using block.difficulty in arithmetic that would overflow or produce nonsensical results with 256-bit values.
  • Contracts checking block.difficulty > 0 or block.difficulty < threshold for validation or network detection.
  • Mining-related contracts that used difficulty for reward scaling, hashrate estimation, or proof-of-work verification.
  • DeFi protocols that used block.difficulty as one of several entropy sources in pseudo-random number generation.

While no single catastrophic exploit was attributed to this change (the Ethereum Foundation provided months of advance warning), the Merge represented a systemic semantic break for opcode 0x44. Unupgradeable contracts with difficulty-based logic remain broken on mainnet permanently.

PREVRANDAO’s role: This is the defining event for opcode 0x44. The semantic shift from “proof-of-work difficulty” to “beacon chain RANDAO mix” is a one-time breaking change that fundamentally altered the threat model for every contract using this opcode.

Impact: Systemic risk across all contracts using block.difficulty. No single large exploit, but an unknown number of contracts with degraded or broken functionality.

References:

Attack Scenarios

Scenario A: Proposer Bias on a Lottery Draw

contract VulnerableLottery {
    address[] public players;
    uint256 public pot;
 
    function enter() external payable {
        require(msg.value == 1 ether);
        players.push(msg.sender);
    }
 
    function draw() external {
        require(players.length >= 20);
 
        // VULNERABLE: block.prevrandao is known to the proposer
        // before they produce the block. The proposer can decide
        // whether to include this transaction based on whether
        // they win.
        uint256 winner = uint256(keccak256(abi.encodePacked(
            block.prevrandao,
            block.timestamp,
            players.length
        ))) % players.length;
 
        payable(players[winner]).transfer(address(this).balance);
        delete players;
    }
 
    // Attack: A validator enters the lottery with multiple addresses.
    // When assigned to propose a slot, they precompute the winner for
    // both "propose" and "skip" scenarios. If either outcome selects
    // one of their addresses, they act accordingly.
    // Cost: ~0.05 ETH forfeited block reward for a 1-bit bias on a 20 ETH pot.
}

Scenario B: NFT Trait Manipulation via PREVRANDAO

contract VulnerableNFTMint {
    uint256 public nextTokenId;
 
    function mint() external payable {
        require(msg.value == 0.1 ether);
 
        // VULNERABLE: Traits determined by block.prevrandao.
        // A validator proposing the block containing this tx
        // knows the exact traits before the block is finalized.
        uint256 seed = uint256(keccak256(abi.encodePacked(
            block.prevrandao,
            nextTokenId,
            msg.sender
        )));
 
        uint256 rarity = seed % 100;
        // rarity < 1 => legendary (1%)
        // rarity < 10 => rare (9%)
        // else => common (90%)
 
        _mintWithTraits(msg.sender, nextTokenId, rarity);
        nextTokenId++;
    }
 
    function _mintWithTraits(address to, uint256 id, uint256 rarity) internal {
        // ... mint logic
    }
 
    // Attack: MEV searcher computes the seed for the target block.
    // If rarity < 1 (legendary), they submit a mint transaction.
    // If not, they wait for a block with a favorable PREVRANDAO.
    // No need to be a validator -- just compute and front-run.
}

Scenario C: Contracts Broken by The Merge (DIFFICULTY to PREVRANDAO)

// Deployed pre-Merge, unupgradeable
contract MiningRewardScaler {
    uint256 public constant EXPECTED_DIFFICULTY = 14_000_000_000_000_000; // ~14 PH
 
    function getRewardMultiplier() public view returns (uint256) {
        // Pre-Merge: block.difficulty was ~14 PH, so multiplier was ~1x
        // Post-Merge: block.prevrandao is a 256-bit value >> EXPECTED_DIFFICULTY
        // This returns an astronomically large multiplier, breaking reward logic
        return (block.difficulty * 100) / EXPECTED_DIFFICULTY;
    }
 
    function claimReward() external {
        uint256 multiplier = getRewardMultiplier();
        // Pre-Merge: multiplier ~= 100 (1x)
        // Post-Merge: multiplier = overflow/enormous value
        // Solidity >= 0.8.0 reverts on overflow; < 0.8.0 wraps silently
        uint256 reward = BASE_REWARD * multiplier / 100;
        payable(msg.sender).transfer(reward);
    }
 
    uint256 constant BASE_REWARD = 0.01 ether;
 
    // This contract is permanently broken post-Merge.
    // If compiled with Solidity < 0.8.0: silent overflow, incorrect payouts.
    // If compiled with Solidity >= 0.8.0: every call to claimReward() reverts.
}

Scenario D: Multi-Slot Proposer RANDAO Grinding

// A high-value DAO uses PREVRANDAO for jury selection
contract VulnerableJurySelection {
    address[] public candidates;
    address[] public selectedJury;
 
    function selectJury(uint256 jurySize) external {
        require(selectedJury.length == 0, "jury already selected");
        require(candidates.length >= jurySize);
 
        // VULNERABLE: A validator with 2+ consecutive slots can
        // choose from 2^N possible PREVRANDAO values, selecting
        // the jury composition most favorable to them.
        for (uint256 i = 0; i < jurySize; i++) {
            uint256 idx = uint256(keccak256(abi.encodePacked(
                block.prevrandao, i
            ))) % candidates.length;
            selectedJury.push(candidates[idx]);
        }
    }
 
    // Attack: A large staking pool (30% of validators) monitors for
    // epochs where they have 2+ consecutive slots. They precompute
    // all 4 possible jury compositions and choose the one where
    // their preferred candidates are selected.
}

Mitigations

ThreatMitigationImplementation
T1: Proposer bias (1-bit)Use PREVRANDAO only for low-value outcomes where 1-bit bias is acceptableAcceptable for non-financial randomness (UI shuffling, non-critical ordering); never for lotteries or asset distribution
T2: High-value randomnessUse Chainlink VRF or commit-reveal schemesChainlink VRF v2+ for provably fair randomness; request randomness in tx 1, fulfill in tx 2 (different block, different proposer)
T2: MEV searcher exploitationSeparate randomness request from randomness resolution across blocksCommit-reveal: users commit a hash in block N, reveal the preimage in block N+K; combine user entropy with PREVRANDAO
T3: Epoch-level predictabilityAdd user-contributed entropy via commit-revealUsers submit keccak256(secret) in one transaction, reveal secret in a later transaction; combine with PREVRANDAO for hybrid entropy
T4: L2 PREVRANDAO divergenceAbstract randomness behind a chain-aware interfaceCheck block.chainid and use chain-specific VRF or oracle; never assume PREVRANDAO freshness across chains
T5: Merge breaking changesDetect PoS and branch behaviorif (block.prevrandao > 2**64) { /* post-Merge logic */ } else { /* pre-Merge logic */ } per EIP-4399
T5: Unupgradeable contractsDeploy behind upgradeable proxiesUse UUPS or Transparent Proxy patterns for any contract that reads block-level variables
General: Proposer knowledgeNever resolve randomness in the same block as the requestTwo-phase pattern: request in block N, resolve with PREVRANDAO from block N+1 or later (still biasable but raises the cost)
General: High-stakes randomnessUse VDF (Verifiable Delay Function) or threshold randomnessEthereum roadmap includes VDF research for unbiasable randomness; drand network for threshold BLS randomness

Compiler/EIP-Based Protections

  • EIP-4399 (Paris, The Merge): Replaced block.difficulty with block.prevrandao semantics on opcode 0x44. Provides the PoS detection mechanism (value > 2^64). Does not make the randomness secure — it makes it better than difficulty but still biasable.
  • Solidity >= 0.8.18: Introduces block.prevrandao as a language-level alias. Emits a warning when block.difficulty is used with a Paris+ EVM target, helping developers recognize the semantic change.
  • Chainlink VRF v2+: Industry-standard verifiable random function. Generates randomness off-chain with a cryptographic proof verified on-chain. Eliminates proposer bias entirely. The randomness is delivered in a callback transaction in a future block, preventing same-block exploitation.
  • EIP-4788 (Dencun): Exposes the beacon block root in the EVM via a system contract. While not directly a randomness solution, it enables contracts to verify beacon chain state, which can be combined with PREVRANDAO for additional assurance.

Severity Summary

Threat IDCategorySeverityLikelihoodReal-World Precedent
T1Smart ContractHighMediumProposer bias is theoretically documented; economically rational for high-value targets
T2Smart ContractCriticalHighSmartBillions ($120K), dozens of gambling DApps drained (2017-2019), OWASP SC08
T3Smart ContractHighHighSame-block randomness resolution exploited in multiple gambling contracts
T4Smart ContractMediumMediumL2 PREVRANDAO semantic divergence (ongoing cross-chain deployment issue)
T5Smart ContractMediumLow (one-time event)The Merge breaking changes (September 2022); unupgradeable contracts permanently affected
P1ProtocolMediumLowProposer bias economics documented in academic research; no confirmed mainnet exploitation
P2ProtocolHighLowMulti-slot RANDAO grinding quantified (AFT 2024); RANDAOtage scenario (Justin Drake); forking attack (2025)
OpcodeRelationship
BLOCKHASH (0x40)Returns the hash of a recent block (up to 256 blocks back). Like PREVRANDAO, sometimes misused for randomness. BLOCKHASH has a shorter look-ahead window (not known until the block is produced) but is still manipulable by the proposer who can choose block contents.
TIMESTAMP (0x42)Returns the current block’s timestamp. The proposer can adjust this within protocol constraints (~12s slot time). Commonly combined with PREVRANDAO in broken randomness patterns — both are proposer-known values.
COINBASE (0x41)Returns the block proposer’s fee recipient address. Freely chosen by the validator. Often combined with PREVRANDAO in pseudo-randomness schemes, but the proposer controls both values, making the combination no more secure than either alone.
NUMBER (0x43)Returns the current block number. Fully deterministic and predictable. Adding NUMBER to a PREVRANDAO-based hash provides zero additional entropy.

Graph View

Latest updates

Backlinks