Bad Randomness

What it detects

The detector looks for uses of blockhash, timestamps, or other on-chain values as random seeds. Such methods are manipulable and produce outcomes attackers can predict or control.

Typical symptoms

Random number derived from block variables
Outcomes bias toward miners or privileged users

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract Lottery {
    function draw() external view returns (uint256) {
        // Predictable randomness based on block timestamp
        return uint256(blockhash(block.number - 1));
    }
}

Why it matters on EVM

Bad randomness undermines fairness in games and lotteries, enabling exploits that drain rewards or manipulate selections.

What it detects​

Typical symptoms​

Solidity snippet (v0.8.25)​

Why it matters on EVM​

What it detects

Typical symptoms

Solidity snippet (v0.8.25)

Why it matters on EVM