Skip to main content

Hash Grinding on Ordering

An advanced, emerging class. Grounded in Cardano's deterministic validation and demonstrated by on-chain proof-of-work such as Fortuna.

Identifier: hash-grinding

Property statement: No placement, ordering, or selection that matters for security is derived from a hash of data the transaction author can influence.

Test: An attacker chooses transaction contents so that a hash-derived position or outcome lands where they want.

Impact:

  • Biased placement in on-chain data structures (denial of service)
  • Rigged "random" selection

Further explanation: A validator has no source of randomness. It sees only data the transaction author chose, and its execution is deterministic. So any value derived from a hash of attacker-influenceable input, the transaction hash, an output reference, a datum field, a token name, can be ground: the author re-tries transaction contents until the hash comes out favorable. This is not expensive. Cardano's own proof-of-work token, Fortuna, is a living demonstration that grinding on-chain hashes at scale is cheap; its entire mechanism is nonce grinding.

The vulnerability appears when a hash decides placement or order in an on-chain structure:

  • a bucket in a sharded or distributed map,
  • a position in a sorted or linked association list,
  • a path in a Merkle Patricia trie,
  • the winner of a "random" selection, raffle, or sortition.

An attacker grinds the input to force a chosen location: cluster many entries into one branch to bloat its proofs and push transactions into execution-unit or size limits (a denial of service against everyone who must traverse it), engineer adjacency to attack a specific neighbor, or win a draw that was supposed to be fair.

Prevent it by never treating an author-influenced on-chain hash as randomness. Use a commit-reveal scheme or a verifiable random function (VRF) for randomness, make placement independent of attacker-controlled hashes, or bound the blast radius (cap per-bucket size, and require inclusion proofs the attacker cannot cheaply densify).