Using Pythia VRF solution brings high quality randomness into your applications, but in order or achieve high security and true fairness you should keep some security conciderations in your mind.
In this article you can find some of the top security considerations you should review in your project.
VRFConsumer
in your contract, to interact with the VRF serviceTo interact with Pythia VRF service, your contract need to inherit from VRFConsumer
. It includes checks to ensure the randomness is fulfilled by VRFCoordinator
. It is important to verify randomness before consuming it in your contract. This verification happend in rawFulfillRandomness
function which implemented in VRFConsumer
. To ensure validity of randomness, avoid override rawFulfillRandomness
function in your contract.
fulfillRandomWords
must not revertMake sure your contract logic in fulfillRandomWords()
does not revert. Fulfilling randomness is an one time action and the VRF service will not attempt to call it a second time, Therefore reverting transaction in the implementation will result to lost randomness. Consider simply storing the randomness and taking more complex actions in separate contract calls made by you or your users.
requestId
to match randomnessIf your contract could make multiple VRF requests in simultaneously, you must use requestId
to match randomness requests and do not rely on requests order.
For instance, if you submit randomness requests A
, B
, and C
in rapid succession, there's no guarantee that the corresponding fulfillments will follow the same order of A
, B
, and C
. The fulfillments of randomness could equally arrive at your contract in sequences like C
, B
, A
, or in any other arrangement.
When an outcome in your contract depends on some user-supplied inputs and randomness, the contract should not accept any additional user-supplied inputs after it submits the randomness request. Any user-supplied input could be done before requesting randomness from VRF service.
Accpting input after the randomness request may cause violating security properties by an attacker that can rewrite the chain.
Introduction to Pythia VRF
Pythia VRF is a provably fair and verifiable random number generator that enables smart contracts to access random values without compromising security or usability.
Introduction to Subscriptions
Pythia VRF offers a subscription based system, In which users create a subscription account and fund its balance with network's native token.