Incorrect use of blockhash

Description

The blockhash function in Solidity returns 0 when used with block.number or block.number + N, making it predictable and insecure for generating random numbers.

Examples

Insecure Code

solidity

uint256 random = uint256(blockhash(block.number));

Secure Code

solidity

uint256 random = rand(); // using OpenZeppelin's rand() function

Remediation

Use a secure random number generator, such as the rand() function from the OpenZeppelin library, to generate unpredictable numbers.

Rule Details

Field	Value
ID	CODE-0474
Category	Crypto
Severity	MEDIUM
CWE	CWE-341
Confidence	HIGH
Impact	MEDIUM
Likelihood	LOW
Exploitability	MODERATE
Tags	randomness, predictability
OWASP	N/A

References

https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Incorrect use of blockhash

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Incorrect use of blockhash ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Incorrect use of blockhash

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References