ERC-7977: Future-block oracleless randomness

SamWilsn · July 18, 2025, 6:37pm

Add ERC: Future-block oracleless randomness

master ← angrymouse:patch-1

opened 08:53PM - 16 Jun 25 UTC

When opening a pull request to submit a new EIP, please use the suggested templa…te: https://github.com/ethereum/EIPs/blob/master/eip-template.md We have a GitHub bot that automatically merges some PRs. It will merge yours immediately if certain criteria are met: - The PR edits only existing draft PRs. - The build passes. - Your GitHub username or email address is listed in the 'author' header of all affected PRs, inside <triangular brackets>. - If matching on email address, the email address is the one publicly listed on your GitHub profile.

bbjubjub · July 23, 2025, 6:48pm

Good news: since Prague, one can access the last 8191 block hashes using EIP-2935: Serve historical block hashes from state. That improves liveness a lot.

You that using “entropy slicing” instead of hash functions to aggregate randomness contributions prevents grinding attacks. I am not convinced by that. My mental model is that it doesn’t matter so much what aggregation function you use: the last block producer can see all the previous inputs and as a result they can keep trying values just as easily. It could be that I did not understand your proposal though, so feel free to expand on this.

I think there is an alternative scheme that is more natural and efficient: the execution layer block header includes a field called prevrandao, which already a highly bias resistant source of randomness. Why not have the following protocol:

at block height n, a user registers a request. The system keeps track of n.
starting from block height n+1 (and until n+8192), anyone can fulfill the request permissionlessly by submitting the preimage of blockhash(n+1). The system extracts prevrandao and uses it as a random seed to fulfill the request.

This requires decoding RLP on chain, which is a little bit annoying and also will be broken occasionally by hard forks, but it requires witholding a block to grind 1 bit, and uses only Ethereum. lmk what you think.

(tagging @angrymouse just in case)

angrymouse · July 24, 2025, 5:24am

My mental model is that it doesn’t matter so much what aggregation function you use: the last block producer can see all the previous inputs and as a result they can keep trying values just as easily.

@bbjubjub
It’s indeed true, but you missed one important piece in the proposal: It’s future blocks that matter, not past. Obviously we can’t access future blockhashes right away, but we can have 2 stages: 1 being entering “randomness request”. Of course individual block producers can still try to grind blockhash, but due to slicing of 1 hash into 32 bytes, grinding would have to involve actually grinding 32 MSBs (most significant bits), so block would have to be withheld for significant time to achieve any meaningful improvement to the randomness (though validators indeed can achieve some marginal improvement, with improvement increasing the more they withhold a block).
But prevrandao idea is also very interesting and might be the better solution, especially combined with the slicing idea (slice prevrandao into 32 byte array to “diversify” MSBs throughout whole prevrandao)