Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/weak-sources-randomness

Name: weak-sources-randomness
Author: apegurus

skills/vulnerability-patterns/weak-sources-randomness/SKILL.md

- Contract generates "random" values using on-chain data: `block.timestamp`, `blockhash`, `block.difficulty` / `block.prevrandao`, `block.number`, or combinations thereof

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus weak-sources-randomness

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:33 AM193.0s1 file scanned

SKILL.md

name:: weak-sources-randomness
description:: On-chain attributes used as randomness source
pattern_category:: logic-error
- regex:: (block\.timestamp|block\.prevrandao|block\.difficulty|blockhash)\b
severity:: Medium
confidence:: Medium
swc:: SWC-120

Weak Sources of Randomness from Chain Attributes

Preconditions

Contract generates "random" values using on-chain data: block.timestamp, blockhash, block.difficulty / block.prevrandao, block.number, or combinations thereof
The random value determines outcomes with economic value (lotteries, games, minting, distributions)

Vulnerable Pattern

function drawLottery() external {
    // All inputs are deterministic and publicly visible
    // Another contract can compute the same value in the same tx
    uint256 random = uint256(keccak256(abi.encodePacked(
        block.timestamp,
        block.prevrandao,
        msg.sender
    ))) % 100;

    if (random < 5) {
        _payWinner(msg.sender);
    }
}

// Attacker contract
contract Exploit {
    function attack(Lottery target) external {
        // Compute the same "random" value before calling
        uint256 random = uint256(keccak256(abi.encodePacked(
            block.timestamp,
            block.prevrandao,
            address(this)
        ))) % 100;

        // Only call if we'll win
        if (random < 5) {
            target.drawLottery();
        }
    }
}

Detection Heuristics

Search for block.timestamp, block.prevrandao, block.difficulty, blockhash, block.number used as inputs to keccak256 or arithmetic operations producing a "random" value
Check if the resulting value determines an outcome with economic impact (winner selection, token distribution, NFT rarity, game outcome)
If randomness is derived exclusively from on-chain data, flag it — a contract in the same transaction can compute the identical value
Check if blockhash is used for a future block (returns 0 for blocks not yet mined) or a block older than 256 blocks (also returns 0)
Check if validators/miners can influence the inputs to bias the outcome

False Positives

Chainlink VRF or another verifiable randomness oracle is used
On-chain data is combined with an off-chain commit-reveal scheme (the on-chain part alone doesn't determine the outcome)
The randomness doesn't determine anything with economic value
block.prevrandao on PoS Ethereum provides sufficient entropy for the specific use case (not for high-value outcomes)

Remediation

Use Chainlink VRF (Verifiable Random Function) for provably fair randomness
Implement a commit-reveal scheme: users commit hashed choices, reveal in a later block
Never use block.timestamp, blockhash, or block.prevrandao alone for randomness in high-value contexts

import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/vrf/VRFConsumerBaseV2.sol";

contract FairLottery is VRFConsumerBaseV2 {
    function requestRandom() external {
        requestRandomWords(keyHash, subId, confirmations, gasLimit, 1);
    }

    function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {
        uint256 winner = randomWords[0] % participants.length;
        _payWinner(participants[winner]);
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/weak-sources-randomness ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/weak-sources-randomness

skills/vulnerability-patterns/weak-sources-randomness/SKILL.md

- Contract generates "random" values using on-chain data: `block.timestamp`, `blockhash`, `block.difficulty` / `block.prevrandao`, `block.number`, or combinations thereof

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus weak-sources-randomness

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:33 AM193.0s1 file scanned

SKILL.md

name:: weak-sources-randomness
description:: On-chain attributes used as randomness source
pattern_category:: logic-error
- regex:: (block\.timestamp|block\.prevrandao|block\.difficulty|blockhash)\b
severity:: Medium
confidence:: Medium
swc:: SWC-120

Weak Sources of Randomness from Chain Attributes

Preconditions

Contract generates "random" values using on-chain data: block.timestamp, blockhash, block.difficulty / block.prevrandao, block.number, or combinations thereof
The random value determines outcomes with economic value (lotteries, games, minting, distributions)

Vulnerable Pattern

function drawLottery() external {
    // All inputs are deterministic and publicly visible
    // Another contract can compute the same value in the same tx
    uint256 random = uint256(keccak256(abi.encodePacked(
        block.timestamp,
        block.prevrandao,
        msg.sender
    ))) % 100;

    if (random < 5) {
        _payWinner(msg.sender);
    }
}

// Attacker contract
contract Exploit {
    function attack(Lottery target) external {
        // Compute the same "random" value before calling
        uint256 random = uint256(keccak256(abi.encodePacked(
            block.timestamp,
            block.prevrandao,
            address(this)
        ))) % 100;

        // Only call if we'll win
        if (random < 5) {
            target.drawLottery();
        }
    }
}

Detection Heuristics

Search for block.timestamp, block.prevrandao, block.difficulty, blockhash, block.number used as inputs to keccak256 or arithmetic operations producing a "random" value
Check if the resulting value determines an outcome with economic impact (winner selection, token distribution, NFT rarity, game outcome)
If randomness is derived exclusively from on-chain data, flag it — a contract in the same transaction can compute the identical value
Check if blockhash is used for a future block (returns 0 for blocks not yet mined) or a block older than 256 blocks (also returns 0)
Check if validators/miners can influence the inputs to bias the outcome

False Positives

Chainlink VRF or another verifiable randomness oracle is used
On-chain data is combined with an off-chain commit-reveal scheme (the on-chain part alone doesn't determine the outcome)
The randomness doesn't determine anything with economic value
block.prevrandao on PoS Ethereum provides sufficient entropy for the specific use case (not for high-value outcomes)

Remediation

Use Chainlink VRF (Verifiable Random Function) for provably fair randomness
Implement a commit-reveal scheme: users commit hashed choices, reveal in a later block
Never use block.timestamp, blockhash, or block.prevrandao alone for randomness in high-value contexts

import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/vrf/VRFConsumerBaseV2.sol";

contract FairLottery is VRFConsumerBaseV2 {
    function requestRandom() external {
        requestRandomWords(keyHash, subId, confirmations, gasLimit, 1);
    }

    function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {
        uint256 winner = randomWords[0] % participants.length;
        _payWinner(participants[winner]);
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/weak-sources-randomness ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT