Security Issue: Insecure Random Number Generation in NEO Blockchain
Description
- Version: v3.7.5
- Module: Plugins/DBFTPlugin
|
private static ulong GetNonce() |
|
{ |
|
Random _random = new(); |
|
Span<byte> buffer = stackalloc byte[8]; |
|
_random.NextBytes(buffer); |
|
return BinaryPrimitives.ReadUInt64LittleEndian(buffer); |
|
} |
The issue lies in the use of the Random class for generating random numbers, specifically the instantiation Random _random = new();. It is well-known that the Random constructor uses a default seed value. Referencing dotnet's manual here. Usually the seed is derived from system clock and some other factors like another PRNG. And the timestamp of the consensus is exposed in the block header which makes it more easier for guessing the seed.
Impact
This predictability poses a significant security risk. By analyzing a large set of published block data, there exists possibility to infer the random seed sequence of a consensus node. With this information, one could predict some blocks' nonce values of future blocks. Therefore, one can manipulate a transactions's nonce so that the value got from System.Runtime.GetRandom is preferable.
The block nonce are the crucial random source for various on-chain applications. Applications relying on these random source include:
- Assigning attributes to NFTs
- On-chain gambling games, such as FTW
Suggested Fix
To mitigate this issue, I recommend using a cryptographically secure random number generator, such as RNGCryptoServiceProvider in C#. This will ensure that the random numbers used in block generation are not predictable and significantly enhance the security of the blockchain.
Possible Example:
using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
byte[] randomNumber = new byte[8];
rng.GetBytes(randomNumber);
int value = BitConverter.ToInt32(randomNumber, 0);
}
Conclusion
The current method of random number generation in the NEO blockchain is insecure and can be exploited to predict block nonce values. This poses a serious risk to the integrity of on-chain applications. Implementing a cryptographically secure random number generator will address this vulnerability.
Security Issue: Insecure Random Number Generation in NEO Blockchain
Description
neo/src/Plugins/DBFTPlugin/Consensus/ConsensusContext.MakePayload.cs
Lines 169 to 175 in f307a31
The issue lies in the use of the
Randomclass for generating random numbers, specifically the instantiationRandom _random = new();. It is well-known that theRandomconstructor uses a default seed value. Referencing dotnet's manual here. Usually the seed is derived from system clock and some other factors like another PRNG. And the timestamp of the consensus is exposed in the block header which makes it more easier for guessing the seed.Impact
This predictability poses a significant security risk. By analyzing a large set of published block data, there exists possibility to infer the random seed sequence of a consensus node. With this information, one could predict some blocks' nonce values of future blocks. Therefore, one can manipulate a transactions's nonce so that the value got from
System.Runtime.GetRandomis preferable.The block nonce are the crucial random source for various on-chain applications. Applications relying on these random source include:
Suggested Fix
To mitigate this issue, I recommend using a cryptographically secure random number generator, such as RNGCryptoServiceProvider in C#. This will ensure that the random numbers used in block generation are not predictable and significantly enhance the security of the blockchain.
Possible Example:
Conclusion
The current method of random number generation in the NEO blockchain is insecure and can be exploited to predict block nonce values. This poses a serious risk to the integrity of on-chain applications. Implementing a cryptographically secure random number generator will address this vulnerability.