Predictable from Observable State
| Property | |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-341: Predictable from Observable State |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using blockhash with the current or future block numbers (e.g., block.number, block.number + N) in Solidity always returns 0, leading to incorrect or predictable results. This makes it unsuitable for randomness or security-critical decisions.
Impact#
Relying on blockhash in this way can break logic that depends on unpredictability, such as lotteries or access controls. Attackers may exploit this to predict outcomes, manipulate contract behavior, or cause contract failures, potentially resulting in financial loss or system abuse.