1

Would this pseudo random algorithm be failproof:

I'm implementing a lottery contract and the winner is chose by getting addresses of each player who joined , packing the addresses into a string and hashing that value, casting it to an uint, and getting an index for an array out of it. I am thinking even if someone reads all the addresses and estimates the winners, it wouldn't be 100% accurate, because it depends whether another account will join or not.

edit: after choosing one winner, the players array gets scrambled in front-end and set again by the contract admin.

1 Answer 1

2

There is no way to create a pseudo random number on-chain securely. It can always be abused.

In your case, the attacker can wait until the last moment and simulate your algorithm. Then he can create an address which suits his needs and add that to the lottery, so that he would win.

It's easy for an attacker to simulate your algorithm and enter a well-crafted address into the lottery, since all of that can be done off-chain with a fast computer. It only requires him to generate one address which helps him win the lottery, even if it may take him some loops to find a proper address which does the trick.

If you introduce randomization by a centralized admin, the case is different - but then you lose all the benefits of a decentralized smart contract where trust is not needed.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.