{"id":47577987,"url":"https://github.com/randao/randao","last_synced_at":"2026-04-15T04:00:40.317Z","repository":{"id":30161659,"uuid":"33711950","full_name":"randao/randao","owner":"randao","description":"RANDAO: A DAO working as RNG of Ethereum","archived":false,"fork":false,"pushed_at":"2023-03-01T04:07:23.000Z","size":3675,"stargazers_count":831,"open_issues_count":5,"forks_count":114,"subscribers_count":42,"default_branch":"master","last_synced_at":"2024-07-25T02:44:22.183Z","etag":null,"topics":["contract","ethereum","rng"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/randao.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-10T06:16:31.000Z","updated_at":"2024-07-23T01:51:31.000Z","dependencies_parsed_at":"2023-02-16T16:32:07.561Z","dependency_job_id":null,"html_url":"https://github.com/randao/randao","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/randao/randao","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randao%2Frandao","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randao%2Frandao/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randao%2Frandao/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randao%2Frandao/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/randao","download_url":"https://codeload.github.com/randao/randao/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randao%2Frandao/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31825515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"online","status_checked_at":"2026-04-15T02:00:06.175Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["contract","ethereum","rng"],"created_at":"2026-03-31T08:00:20.455Z","updated_at":"2026-04-15T04:00:40.310Z","avatar_url":"https://github.com/randao.png","language":"JavaScript","funding_links":[],"categories":["Distributed randomness"],"sub_categories":["Commit reveal"],"readme":"\n[![Join the chat at https://gitter.im/randao/randao](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/randao/randao?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n\n### Random number in programming is very important!\n\nRNG in a deterministic system is very difficult\n\n### Solutions\n\nA DAO (decentralised autonomous organisation) that anyone can participate in, and the random number is generated by\nall participants together!\nFirst of all, we need to create a RANDAO contract in the blockchain,\nwhich defines the participation rules.\nThen the basic process of generating a random number can be divided into\nthree phases:\n##### The first phase: collecting valid sha3(s)\nAnyone who want to participate in the random number generation needs to\nsend a transaction to the contract C with m ETH as pledge in a specified\ntime period (e.g, 6 block period, approximately 72s), accompanied by the\nresult of sha3(s), s is the secret number respective picked by\nparticipant.\n\n##### The second phase: collecting valid s\nAfter the first phase, anyone who submitted sha3(s) successfully needs\nto send a transaction with the secret number s in the first stage to\ncontract C within a specified time period. Contract C will check if s is\nvalid by running sha3 against s and comparing the result with previous\ncommitted data. Valid s will be saved to the collection of seeds to finally\ngenerate the random number.\n\n##### The third phase: calculating a random number, refund pledged ETH and bonus\n1. After all secret numbers have been successfully collected, contract C\n   will calculate the random number from the function f(s1,s2,...,sn), the result will be written to the storage of C, and the result will\nbe sent to all other contracts that requested the random number before.\n2. Contract C will send back the pledge to the participants in the first\n   phase, and the profit is divided into equal parts and sent to all\nparticipants as an additional bonus. The profit comes from the fees that is paid by\nother contracts that consume the random number.\n\n#### Additional rules\nIn order to ensure the RNG can't be manipulated, as well as for\nsafety and efficiency, the contract C has the following additional rules:\n\n1. The first phase, if two or more of the same sha3(s) are submitted in\n   sequence, only the first one is accepted.\n2. The first phase, there is a requirement for minimum number of\n   participants, if it fails to collect enough sha3(s) within the time\nperiod, then RNG at this block height will fail.\n3. If a participant submits the sha3(s) and it is accepted by contract C,\n   he must reveal the s in the second phase.\n\n    3.1 If the participant fails to reveal s in the second phase, then the m\nETH sent in the first phase will be confiscated without providing a return.\n\n    3.2 If one or more s isn't revealed in the second phase, RNG at this\nblock height will fail. Confiscated ETHs will be divided equally and\nsend to other participants who revealed s at the second phase.  The fees\npaid by other contracts will be refunded.\n\n\n#### Incentive\nThe RNG cycle is very short,  and could be for example 20 cycles in one hour, if one\ncycle's profit is 0.001% , the monthly rate of return is up to `0.00001 *\n20 * 24 * 30 = 0.144`.\nTargeting to 14.4% monthly rate of return, and RNG has n participants on\naverage, the running costs of contract is `n * 3 * 500 * gasPrice +\nCcost`. (Ccost is gas consumed by contract internally, including\ncomputing and storage, etc. )\nAssuming each random numbers has r time requests on average, the call\nprice is p ETH, the income is `r * p`. So each participant will get `(rp -\n1500n * gasPrice - Ccost) / n` from one time participation.\nThe current gasPrice is 10 szabo, and estimate of contract consumption\nis 1500n gas, so estimate of net income is `(rp / n - 0.03)` ETH.\nAssuming each RNG has 10 participations, and the pledge is 1000ETH, the\nminimum required income is 0.4 ETH, which over 0.001% profit in this\ncase. So if the RNG is requested only once, the service price is 0.4 ETH,\nand if it is requested 10 times, the price is just 0.04 ETH for each\nrequest.\n\n\nThe RANDAO acts as an infrastructure in the Ethereum system. It is called by\nother contracts. Contracts for different purposes require different\nrandom numbers: some need high security, such as lottery; some need\nsteady responses and the request should be responded immediately, these\ncontracts are normally low-value; some need a callback,\nthey want to receive a notification with random numbers when numbers are\nready.\n\nObviously it's impossible to meet different requirements in various\nscenarios with only one RNG contract, so a lot of contracts will be\ncreated with different initial parameters, but the basic rules are the same.\n\nFor example, if we need high security, we can substantially increase the\npledge of the first phase. Thus, the cost of leading to failure of RNG\nprocess by not revealing s is greatly increased. And for the contracts\nwithout much interest involved, the minimum number of participants and\nthe pledge can be lower.\n\nLet's look at an example of a dApp betting on odd or even numbers, we'll show how to\nadjust the contract's parameters to meet the desired security level, by\nmaking the cost of cheating higher than expected earnings.\nAssuming the bet is 1000 ETH, the betting contract calls a RNG contract\nC1, if C1 failed to generate a random number at requested block height,\nthen betting contract waits for the next random number of C1, until\nthere is one generated.\n\nLet's build the RNG contract C1, and set the pledged ETH of C1 to 2000. The\ngambler G plays the betting dApp but also participates in the contract. When he\nfinds himself in a disadvantageous position before he reveals his secret\nnumber, he can choose not to reveal s, so that the RNG failed and he got\nanother chance. But he will lose the 2000 pledged ETH, so although he can get\n1000 ETH expected return, it is still a bad deal. \nHowever, G can reduce his losses on C1 by some means, such as participating in\nC1 using two accounts, sending two sha3(s). if in a disadvantageous\nposition, G will keep only one account's secret, and if only one\nparticipant expect G participate to in C1, G will only lose 1000 ETH in C1,\nbut G will get 1000 ETH as expected return, which is a worthy try.\n\nThis issue can be fixed by confiscating the pledged ETH, and not return them\nto participants as bonus. so a contract with 1000 pledged ETH will meet\nthe requirement of the betting dApp.\n\nBesides confiscation, another scheme can prevent such attacks by\nintroducing an additional system: RANDAO membership.\nTo become a member you must pay dues, anyone paid their dues is a\nmember.  Members have different levels according to the dues they paid.\nMembership does not belong to a contract, but instead functions like a passport to\nparticipate in some RANDAO contracts. If a breach of any contract happens,\nthat person's membership will be ended and the dues will be confiscated.\nNow we can add an additional agreement to C1, C1 will only accept\nnumbers committed by members whose level of investment is high enough (membership\ndues over 1000 ETH). This will ensure that nobody has a financial motive to try an attack.\n\n-----\n\nQA:\n\nQ: Why not let the miners participate in RNG? Why not use tx hash, nonce\nand other blockchain data?\nA: Miners have the ability to manipulate these blockchain data, and thus\ncan indirectly affect RNG. If RNG contains blockchain data, it will give\nthe miners capacity to construct random numbers in their favor.\n\nQ: the miners can ignore certain transactions that contain random number\nthey dislike, how to deal with that?\nA: That's why we need a time window period. A reasonable period should\nbe greater than 6 blocks, we believe that nobody can produce 6 blocks in\nsuccession. So if the participant is honest,  and he send numbers\nimmediately as long as each time window open, he doesn't need to worry\nabout being excluded.\n\nQ: Why use all numbers of all participants, rather than a subset?\nA: The rule to pick a subset is deterministic, so participants will try\nto take specified position of the collection by various means, if they\nsucceed, they will know in advance what the random number is generating\nfrom subsets. If the rule to pick a subset is randomised, then we still have the problem of true randomisation.\n\nQ: Where does pledged dues go?\nA: It will be donated to a charity, or RANDAO to maintain funding.\n\nNote: f(s1, s2, ..., sn) is a function with multiple inputs, for\nexample r = s1 xor s2 xor s3 ... xor sn, or r = sha3(sn + sha3(sn-1 + ... (sha3(s2 + s1))))\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandao%2Frandao","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frandao%2Frandao","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandao%2Frandao/lists"}