solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash
semgrep
Author
unknown
Download Count*
License
blockhash(block.number) and blockhash(block.number + N) always returns 0.
Run Locally
Run in CI
Defintion
rules:
- id: incorrect-use-of-blockhash
message: blockhash(block.number) and blockhash(block.number + N) always returns 0.
metadata:
category: security
technology:
- solidity
cwe: "CWE-341: Predictable from Observable State"
confidence: HIGH
likelihood: LOW
impact: MEDIUM
subcategory:
- vuln
references:
- https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
patterns:
- pattern-either:
- pattern: blockhash(block.number)
- pattern: blockhash(block.number + $N)
- pattern: blockhash(block.number * $N)
- pattern: block.blockhash(block.number)
- pattern: block.blockhash(block.number + $N)
- pattern: block.blockhash(block.number * $N)
severity: ERROR
languages:
- solidity
Examples
incorrect-use-of-blockhash.sol
pragma solidity 0.8.0;
contract Test{
function func1() external{
//ruleid: incorrect-use-of-blockhash
bytes32 result1 = blockhash(block.number);
//ruleid: incorrect-use-of-blockhash
bytes32 result2 = blockhash(block.number + 1);
//ruleid: incorrect-use-of-blockhash
bytes32 result3 = blockhash(block.number * 2);
//ruleid: incorrect-use-of-blockhash
bytes32 result4 = block.blockhash(block.number);
//ok: incorrect-use-of-blockhash
bytes32 result5 = blockhash(block.number - 1);
uint256 n = 123;
//ok: incorrect-use-of-blockhash
bytes32 result6 = blockhash(block.number - n);
}
}
Short Link: https://sg.run/qvPO