Vulnerability of decentralized RNG's to Cyber Attacks

Decentralized Random Number Generators, pivotal in blockchain ecosystems, are not impervious to security breaches. These vulnerabilities pose significant threats, especially in systems handling high-value transactions or assets. The inherent risks associated with RNGs in decentralized systems can lead to substantial financial and reputational damages.

The article "Defeating EOS Gambling Games: The Tech Behind Random Number Loophole" by PeckShield delves into the security vulnerabilities exploited by hackers in various EOS gambling games, which compromised the overall security of the EOS ecosystem. The hackers targeted eight games, successfully manipulating random number generation to win large sums, totaling 170,503.5 EOS tokens.

PeckShield's investigation revealed that these were coordinated attacks exploiting a random number loophole, with increasing frequency and success. One specific case study focused on the game EOS.WIN, where a hacker executed a series of attacks, ultimately circumventing the game's random number generation mechanism which used a deferred transaction model.

The crux of the vulnerability lay in the game's reliance on predictable elements such as transaction hash (txid), block height, and block prefix, which the attackers manipulated. By deploying multiple contract accounts to make simultaneous bets, attackers ensured that the conditions for winning were met by controlling the sequential order of bets and exploiting the game's transaction handling to maintain favorable bet IDs.

PeckShield concluded by advising developers against using player-controllable variables for random number generation and recommended separating the game's resolution and notification actions to enhance security. This case study highlights the critical need for robust random number generation mechanisms in blockchain-based applications to prevent manipulation and ensure fairness.