The problem with random number generators? They aren’t that random

In the metaverse, randomness is in desperate demand — but genuinely usable random-number generators are few and far between

OPINION
by Felix Xu /
article-image

Midjourney modified by Blockworks

share

If there is one constant within the human experience, it would be that our everyday lives inevitably unfold into a progression of vibrant, unpredictable and seemingly unimportant occurrences. 

Randomness is a fundamental aspect of life; as we open our doors in the morning, we have no way of knowing exactly what the clouds will look like, or how many people will be on the road as we travel to work — and to be frank, most of us probably wouldn’t care. 

Randomness is as inconsequential as it is ubiquitous, at least in the physical world. 

But in the nascent metaverse, randomness is in desperate demand. Today, randomly-generated numbers are universally required in nearly every aspect of Web3 development, from private key generation to community governance, lottery selections and game building. Randomness underpins blockchain security, enables virtual landscape generation and ensures fair play outcomes. Put simply, it serves as the foundational bedrock for a secure and vibrant Web3 experience. 

And yet, genuinely usable pseudo-random number generators are often hard to come by. Many currently available generators are easily broken when manipulated to suit a given need — which can lead to dangerous security flaws — or produce numbers that are not verifiable. This lack goes far beyond mere inconvenience, with implications that could impact community confidence, metaverse innovation, user experience and trust in the metaverse as a whole. 

The problem with random number generators? They aren’t that random

It’s so intuitive as to feel obvious: Random number generators should, in theory, generate random numbers. However, fabricating unpredictability is easier said than done for computers, which fundamentally operate on deterministic logic. 

As technologist James Bridle aptly put the matter in an article for Slate, “The problem modern computers have with randomness is that it doesn’t make mathematical sense […] There would always be some underlying structure to the randomness, some mathematics of its generation, which would allow you to reverse-engineer and re-create it. Ergo: not random.”

Many of the generators available to metaverse innovators today do not deliver true randomness. True random number generators (TRNGs) use an unpredictable physical occurrence (i.e., coin flips, atmospheric noise etc.) to generate numbers, while pseudo-random number generators (PRNGs) leverage algorithms to produce number sequences that appear — and can sometimes be verified as — random.

While the appeal of a TRNG is undeniable, such tools aren’t practical for daily use. True number generators are notoriously inefficient and expensive to operate, requiring a massive volume of information entropy. PRNGs, which deliver random numbers more cheaply and efficiently, present an appealing alternative. However, finding a PRNG suitable for Web3 development isn’t easy. 

Common PRNGs are laden with risks. Predictability is one: If an adversary determines a generator’s initial seed value, they can forecast all ensuing numbers. And, because many PRNGs are centralized (e.g., rely on a single entity or server), they feature a single point of failure and are thus more vulnerable to exploitation. In Web3 contexts, these vulnerabilities can be weaponized to alter game outcomes, skew gambling results or compromise any application relying on randomness. 

Of course, a generator doesn’t need to be exploited to be untrustworthy. PRNGs often lack transparency and verifiability; this lack of proof can shake users’ faith that experiential outcomes are fair. And, if PRNGs do not undergo sufficient testing or evaluation for security vulnerabilities, they may be more prone to flaws and breakage. The risk magnifies if a PRNG is adapted beyond its original intended function.

To summarize: Predictability begets vulnerability, centralization poses security concerns, lack of verifiability threatens blockchain transparency and breakability means potential functional flaws. Conventional PRNGs leave developers vulnerable to exploitation and put their hard work at critical risk. Analogous to building with weak concrete, an app created with an unreliable PRNG is a ticking time bomb. 

If developers aren’t free to develop, we will not have a metaverse. Today, innovators face functional, financial and reputational risks if they construct apps, games or services with run-of-the-mill PRNGs. If their creation breaks down, they will be held accountable — if not legally, then in the court of public opinion — for any lapse in service and user losses.

Read more from our opinion section: DeFi has a reputation problem

In committing to a project, developers make an investment of their time and resources — and like any investor, they need to have a reasonable belief that their investment can deliver returns. PRNG vulnerabilities can shake that confidence, or worse, discourage creators from creating in the first place. 

For a metaverse innovator, building a Web3 app without a reliable, flexible and verifiable PRNG is a bit like a construction firm choosing to build a house with substandard concrete. The house might look beautiful at first — but it could topple in time. How many innovators who otherwise choose to explore Web3 are currently sitting on their hands, unwilling to take the risk? 

The metaverse won’t manifest to its full potential until innovators are empowered to build it. Creators need access to PRNGs that are decentralized, unpredictable, audited and verifiable. Developers require software development kits (SDKs) that are designed with Web3 use cases in mind, include trustworthy randomness generators, and can deliver security, unbiased outcomes and user trust. 

Randomness will never be quite as ubiquitous in the metaverse as it is in the physical world — but at the very least, Web3 architects shouldn’t need to put themselves at risk to access it.

Felix Xu, crypto geek, early adopter, and NFT collector. Felix graduated from NYU Stern and founded two crypto projects, ARPA and Bella Protocol, among the global top 500 by market cap. Felix previously worked at Fosun Investment, Sackler family office, and Vertical Research in New York and Beijing. Felix loves sailing, kitesurfing and was featured in the Wall Street Journal and The New York Times for his NFT collection.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (6).png

Research

THORChain: The Prices are Going Higher

In recent months, a number of highly accretive developments were implemented across the protocol to improve fee capture, expand product functionality, and ultimately drive value accrual to the RUNE token, with more upgrades on the immediate horizon. These developments include hiking the minimum swap fee parameter to increase revenue, adding a Burn System Income Lever to reduce the RUNE supply, the addition of COSM-WASM smart contracting and IBC to enable an application layer, new chain integrations, and more.

by Luke Leasure

/

news

article-image

0xResearch Newsletter

Who cares about a memecoin supercycle?

Plus, Celestia looks about to flip Ethereum data availability usage

by Donovan Choy /
article-image

Opinion

Decentralization maximalism is dead. Long live permissionless maxis.

Decentralization is still a core tenet of crypto, even if it’s not exactly pragmatic these days

by David Canellis /
article-image

Policy

Crypto.com files suit against SEC, discloses Wells notice

Crypto.com said it received a Wells notice from the SEC in late August

by Katherine Ross /
article-image

Empire Newsletter

The FTX saga is finally coming to an end

A repayment plan has officially been approved, nearly two years after FTX went bust

by David Canellis&Katherine Ross /
article-image

Forward Guidance Newsletter

Coinbase cites SEC’s Ripple appeal to advance its own legal battle

Coinbase filed an interlocutory appeal in its case against the SEC earlier this year

by Ben Strack&Casey Wagner /
article-image

Business

Judge approves FTX bankruptcy plan

FTX “never had the crypto” to make in-kind distributions, witness says at FTX’s confirmation hearing

by Katherine Ross /