The problem with random number generators? They aren’t that random

In the metaverse, randomness is in desperate demand — but genuinely usable random-number generators are few and far between


Midjourney modified by Blockworks


If there is one constant within the human experience, it would be that our everyday lives inevitably unfold into a progression of vibrant, unpredictable and seemingly unimportant occurrences. 

Randomness is a fundamental aspect of life; as we open our doors in the morning, we have no way of knowing exactly what the clouds will look like, or how many people will be on the road as we travel to work — and to be frank, most of us probably wouldn’t care. 

Randomness is as inconsequential as it is ubiquitous, at least in the physical world. 

But in the nascent metaverse, randomness is in desperate demand. Today, randomly-generated numbers are universally required in nearly every aspect of Web3 development, from private key generation to community governance, lottery selections and game building. Randomness underpins blockchain security, enables virtual landscape generation and ensures fair play outcomes. Put simply, it serves as the foundational bedrock for a secure and vibrant Web3 experience. 

And yet, genuinely usable pseudo-random number generators are often hard to come by. Many currently available generators are easily broken when manipulated to suit a given need — which can lead to dangerous security flaws — or produce numbers that are not verifiable. This lack goes far beyond mere inconvenience, with implications that could impact community confidence, metaverse innovation, user experience and trust in the metaverse as a whole. 

The problem with random number generators? They aren’t that random

It’s so intuitive as to feel obvious: Random number generators should, in theory, generate random numbers. However, fabricating unpredictability is easier said than done for computers, which fundamentally operate on deterministic logic. 

As technologist James Bridle aptly put the matter in an article for Slate, “The problem modern computers have with randomness is that it doesn’t make mathematical sense […] There would always be some underlying structure to the randomness, some mathematics of its generation, which would allow you to reverse-engineer and re-create it. Ergo: not random.”

Many of the generators available to metaverse innovators today do not deliver true randomness. True random number generators (TRNGs) use an unpredictable physical occurrence (i.e., coin flips, atmospheric noise etc.) to generate numbers, while pseudo-random number generators (PRNGs) leverage algorithms to produce number sequences that appear — and can sometimes be verified as — random.

While the appeal of a TRNG is undeniable, such tools aren’t practical for daily use. True number generators are notoriously inefficient and expensive to operate, requiring a massive volume of information entropy. PRNGs, which deliver random numbers more cheaply and efficiently, present an appealing alternative. However, finding a PRNG suitable for Web3 development isn’t easy. 

Common PRNGs are laden with risks. Predictability is one: If an adversary determines a generator’s initial seed value, they can forecast all ensuing numbers. And, because many PRNGs are centralized (e.g., rely on a single entity or server), they feature a single point of failure and are thus more vulnerable to exploitation. In Web3 contexts, these vulnerabilities can be weaponized to alter game outcomes, skew gambling results or compromise any application relying on randomness. 

Of course, a generator doesn’t need to be exploited to be untrustworthy. PRNGs often lack transparency and verifiability; this lack of proof can shake users’ faith that experiential outcomes are fair. And, if PRNGs do not undergo sufficient testing or evaluation for security vulnerabilities, they may be more prone to flaws and breakage. The risk magnifies if a PRNG is adapted beyond its original intended function.

To summarize: Predictability begets vulnerability, centralization poses security concerns, lack of verifiability threatens blockchain transparency and breakability means potential functional flaws. Conventional PRNGs leave developers vulnerable to exploitation and put their hard work at critical risk. Analogous to building with weak concrete, an app created with an unreliable PRNG is a ticking time bomb. 

If developers aren’t free to develop, we will not have a metaverse. Today, innovators face functional, financial and reputational risks if they construct apps, games or services with run-of-the-mill PRNGs. If their creation breaks down, they will be held accountable — if not legally, then in the court of public opinion — for any lapse in service and user losses.

Read more from our opinion section: DeFi has a reputation problem

In committing to a project, developers make an investment of their time and resources — and like any investor, they need to have a reasonable belief that their investment can deliver returns. PRNG vulnerabilities can shake that confidence, or worse, discourage creators from creating in the first place. 

For a metaverse innovator, building a Web3 app without a reliable, flexible and verifiable PRNG is a bit like a construction firm choosing to build a house with substandard concrete. The house might look beautiful at first — but it could topple in time. How many innovators who otherwise choose to explore Web3 are currently sitting on their hands, unwilling to take the risk? 

The metaverse won’t manifest to its full potential until innovators are empowered to build it. Creators need access to PRNGs that are decentralized, unpredictable, audited and verifiable. Developers require software development kits (SDKs) that are designed with Web3 use cases in mind, include trustworthy randomness generators, and can deliver security, unbiased outcomes and user trust. 

Randomness will never be quite as ubiquitous in the metaverse as it is in the physical world — but at the very least, Web3 architects shouldn’t need to put themselves at risk to access it.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Templates.png


ZKPs enable efficient offchain transaction processing and validation, resulting in increased throughput and reduced fees. Solana's ZK Compression leverages ZKPs to minimize onchain storage costs, while Sui's zkLogin streamlines user onboarding by replacing complex key management with familiar OAuth credentials.


The crypto asset manager lowered its planned fee from 0.25% to 0.15%, undercutting its competitors


Plus, a look at planned ETH ETF fees and how they differ from their BTC counterparts


North Korea suspected in breach of Indian exchange’s multisig wallet


Plus, Sanctum’s CLOUD token has officially launched — but not without problems


It’s not yet clear whether Donald Trump is pumping bitcoin. But an unofficial memecoin is still seeing benefit.