Full Report
When Ethereum moved from proof of work to proof of stake, it added some new functionality. One of these with the replacement of block.difficulty with block.prevrandao. Although, the opcode is still the same, the values have different meanings now. The blockchain is completely deterministic, forcing randomness to come from things like Chainlink VRF off-chain. prevrandao is meant to be a source of randomness on chain that is created using decentralized information. This is generated with the following steps for each validator: Sign over the current epoch number. Compute hash of signature. Calculate new randomness as hash XOR with the previous randomness. Is this secure? That's a complicated question. The randomness is based upon signature data of the block. So, you cannot directly affect it. However, you can choose not to sign the data in your slot. If this is the case, the randao update is simply skipped. For every validator at the end of a slot, an attacker has control over a single bit of influence by deciding or not deciding on signing the data. To use this in a secure way, we need to pick a prevrandao from the future. According to the EIP-4399 specification, this should be 4 epochs into the future. The reason for this is that we can limit the influence of an attacker by forcing them to guess earlier on. A naive solution is to enforce a guess early then 4 epochs (greater than 128 blocks). in the future to do the validation. However, this is manipulable by censorship attacks by withholding a particular transaction until the prevrandao opcode returns a favorable value. To fix this problem, enforce that the transaction happens on a particular block in the future. Overall, an interesting article on Ethereum randomness. It is still not secure enough for people to use on a lottery, but does it's job for simple on chain things, like ordering of validators.
Analysis Summary
# Research: Solidity Deep Dive: New Opcode 'Prevrandao'
## Metadata
- **Authors:** Markus Waas
- **Institution:** SolidityDeveloper.com
- **Publication:** Technical Analysis Blog
- **Date:** Post-Ethereum Merge (Circa 2022-2023)
## Abstract
This research explores the transition of Ethereum’s `block.difficulty` opcode to `block.prevrandao` following the "Merge" to Proof of Stake (PoS). It examines how on-chain randomness is generated via the RANDAO mechanism, the vulnerabilities inherent in this deterministic process—specifically regarding validator biasability—and best practices for developers seeking to utilize this opcode for smart contract randomness.
## Research Objective
The analysis addresses the challenge of generating secure, decentralized randomness on-chain without relying on centralized off-chain oracles (like Chainlink VRF). It specifically investigates the security properties and limitations of the `PREVRANDAO` opcode in a PoS environment.
## Methodology
### Approach
A technical decomposition of the Beacon Chain’s randomness generation process, paired with a threat model analysis of "Last Revealer" attacks. The author suggests smart contract implementation patterns to mitigate these risks.
### Dataset/Environment
- **Ethereum Post-Merge Consensus Layer:** The interaction between the Execution Layer (Solidity/EVM) and the Consensus Layer (Beacon Chain).
- **EIP-4399:** The formal specification for supplanting the difficulty opcode.
### Tools & Technologies
- Solidity Smart Contracts
- BLS (Boneh-Lynn-Shacham) Signatures
- XOR (Exclusive Or) operations for entropy mixing
## Key Findings
### Primary Results
1. **Deterministic Dependency:** On-chain randomness is no longer a byproduct of hashing (PoW) but a cumulative result of validator signatures.
2. **The "1-Bit" Influence:** An attacker controlling a validator cannot change the random value to an arbitrary number, but they can exert "one bit" of influence by choosing to either propose a block (updating randomness) or skip their slot (omitting their entropy).
3. **Inherent Biasability:** The last validator in an epoch has the final say on the randomness for the subsequent period, making the value manipulable for high-stakes applications like lotteries.
### Supporting Evidence
- **Cost Analysis:** Skipping a slot to manipulate randomness costs a validator the block reward (approx. 0.044 ETH), setting a measurable economic ceiling on the "price" of manipulation.
### Novel Contributions
- **Temporal Decoupling Strategy:** Proposes using a "future block" commitment (e.g., 4 epochs/128 blocks in the future) to limit an attacker's ability to predict and manipulate outcomes at the moment of contract interaction.
## Technical Details
The `PREVRANDAO` value is updated every slot (12 seconds). Each validator signs the current epoch number using their private key. This signature is hashed and XORed with the previous randomness.
- **Security Logic:** Because BLS signatures are unique and deterministic, a validator cannot "grind" different hashes; they only have a binary choice: reveal or withhold.
- **EVM Integration:** `block.difficulty` (0x44) was repurposed to return the `mixHash` from the beacon state, providing current-block entropy to the EVM.
## Practical Implications
### For Security Practitioners
- **Avoid Naive Use:** Do not use `block.prevrandao` for high-value applications where the potential gain from manipulation exceeds the cost of a missed block reward (~0.044 ETH).
### For Defenders
- **Look-Ahead Protection:** Always require a "two-step" process for randomness: (1) Register the intent to get a random number, (2) Retrieve the number from a block hash or `prevrandao` value generated *after* the registration block.
### For Researchers
- **Censorship Risk:** Note that while future-block commitment helps, it introduces a risk where validators might censor a transaction if they see it will result in a loss based on upcoming randomness.
## Limitations
- **Current Opcode Constraints:** The current EVM only allows access to the *current* block's `prevrandao`. You cannot natively query the value of a specific past block without state-proving mechanisms.
- **Lack of VDFs:** Without Verifiable Delay Functions (VDFs), the "last revealer" problem remains theoretically unsolvable on-chain.
## Comparison to Prior Work
- **Vs. PoW Difficulty:** Unlike the old `block.difficulty`, which could be "ground" by miners with high hashpower, `prevrandao` is tied to specific validator slots, making the attack surface more predictable but also more discrete (binary choice).
## Real-world Applications
- **Validator Ordering:** Successfully used for internal protocol functions where small biases are statistically negligible.
- **Low-Stakes Gaming:** Suitable for features where the incentive to cheat is lower than the cost of losing staking rewards.
## Future Work
- **EIP Evolution:** Potential updates to allow `prevrandao(blockNumber)` to query historical randomness.
- **VDF Integration:** Long-term Ethereum roadmap goal to introduce Verifiable Delay Functions to negate the "last revealer" advantage entirely.
## References
- [EIP-4399: Supplant difficulty opcode with PREVRANDAO](https://eips.ethereum.org/EIPS/eip-4399)
- [Ethereum Magicians Discussion Thread](https://ethereum-magicians.org/t/eip-4399-supplant-difficulty-opcode-with-random/7368)