What is entropy illusion vulnerability?
Blockchain systems offer great opportunities for projects and devs, but like any other system, they have a number of certain limitations. One such limitation is determinism — the property of a system or process that its outcome is unambiguously predetermined by initial conditions, input data and rules (algorithm). Determinism is a necessity to maintain decentralized operation of the blockchain system: each node must produce the same result given the same input data.
One vulnerability that can be found during the smart contract audit process is directly related to the determinism of blockchain systems. The issue is called entropy illusion — a vulnerability that occurs when developers use such methods and values in their smart contracts to generate randomness that allow an attacker to calculate the ‘random’ value or manipulate data sources.
Entropy represents the measure of uncertainty, disorder, or chaos in a system. The entropy illusion is pseudo-uncertainty, where randomness is computable or manipulatable.
Why do crypto projects need randomness?
This question is rather rhetorical: without randomness, many successful crypto projects would appear boring and of no interest to anyone. Randomness allows equality of participants, fueling the community’s interest in participating in the blockchain project.
GamesLotteryNFT mining
— all of these concepts presuppose a fair and equal distribution of opportunities among participants.
Another important use of randomness is related to cryptographic security.
Therefore, the entropy illusion vulnerability in crypto projects can lead to serious consequences like unfair lotteries and minting, hacks, loss of trust and interest of the audience.
How entropy illusion issue occurs
Entropy illusion occurs when, during the development of a blockchain project, devs use data sources to generate randomness that can be calculated, controlled, or manipulated by users or miners.
For example:
Block timestampsBlock hashesBlock difficulty or gas limitTransaction data
Thus, the data, although diverse, will be only illusory random and the crypto project will be vulnerable to attacks.
How to provide randomness for a cryptoproject?
There are several ways to provide truly random values in a cryptoproject. For example:
Use trusted solutions for random data generation, for example Chainlink VRF (Verifiable Random Function).Use commit-reveal schemes — a type of commitment scheme that can be used for onchain value storing and keeping values secret until explicit disclosure.Use external independent oracles.
Conclusion
Entropy illusion is a vulnerability that can cost a crypto project loss of funds, assets and reputation. Therefore, when developing a smart contract that incorporates randomness, it is important to carefully select the method and random data provider for the project, and to verify and audit the randomness logic implementation in the developed smart contracts.
SmartState: Top-notch smart contract audits & blockchain security solutions
About SmartState
Launched in 2019 and incorporated in Dubai, SmartState is an independent Web3 security company providing top-notch external security audits and enterprise level blockchain security services.
We’ve built a professional team of skilled white-hat hackers, cyber security experts, analysts and developers. The SmartState team have extensive experience in ethical hacking and cyber security, blockchain & Web3 development, financial and economic sectors.
We’ve conducted 1000+ security audits so far. None of code audited by SmartState had been hacked. Blockchains like TON, large projects like EYWA, 1inch and CrossCurve & exchanges such as Binance and KuCoin rely on our experience.
🚀 Concerned about your project & assets security? Book free security consultation! Let’s get in touch: info@smartstate.tech
Stay tuned for more updates from SmartState and follow us on social media to learn about our latest auditing services and success stories:
WebsiteX (formerly Twitter)LinkedInTelegramInstagram
Disclaimer
Always DYOR. This article is for informational purposes only, does not constitute legal, financial, investment advice and / or professional advice, and we are not responsible for any decisions based on our analysis or recommendations. Always consult with a qualified security expert and conduct thorough testing before deploying smart contracts.
What is entropy illusion vulnerability? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.