Paper: Economic Security of VDF-Based Randomness Beacons

Citation

Shang, Z., Chen, K. “Economic Security of VDF-Based Randomness Beacons: Models, Thresholds, and Design Guidelines.” arXiv:2604.04744v1 [cs.CR] (Apr 6, 2026). HKUST. Accepted to CCS ‘26.

Core Insight

Cryptographic security ≠ economic security for VDFs.

A VDF may be sequentially secure under standard hardness assumptions while still being economically insecure: a rational adversary can profit by purchasing faster hardware and influencing the output when reward spikes (MEV, staking, lottery) are large enough.

Framework

Attacker model: rational agent facing:

• Hardware speedup (how much faster can they go with faster hardware?)
• Operating costs (compute, energy, hardware purchase)
• Stochastic rewards (MEV opportunities, staking rewards with high variance)

Attack decision: modeled as an optimal-stopping problem. The attacker commits to hardware investment if expected profits exceed costs.

Key result: optimal attack behavior has a monotone threshold structure — attack is optimal iff reward exceeds a threshold that depends on hardware costs and delay parameters.

Extensions

1. Grinding attacks: attacker can evaluate multiple VDF paths, biasing the output

   • Amplifies effective rewards relative to cryptographic-only analysis
   • Requires longer delays to remain secure

2. Selective abort: attacker can abort a VDF run that will produce an unfavorable output

   • Classic strategy for randomness manipulation; VDFs resist but don’t eliminate it
   • Requires analyzing abort profitability under reward distribution

3. Multi-adversary competition: multiple rational attackers compete to influence the beacon

   • Competition can reduce or increase required security margins depending on setup

Empirical Finding

Using realistic cloud costs, hardware benchmarks, and MEV data:

Many proposed VDF delays (a few seconds) are economically insecure under plausible conditions.

At high MEV reward spikes (e.g., large staking rewards, RANDAO manipulation incentives in validator selection), a rational attacker with cloud budget has incentive to purchase a speedup factor sufficient to influence the output.

Economically Secure Delay Parameters (ESDPs)

The paper introduces ESDPs as a practical tool: given the reward distribution and hardware cost model, compute the minimum delay T such that no rational attacker finds it profitable to speed up VDF computation.

Relevance to Ethereum

Ethereum doesn’t currently use VDFs (RANDAO is the randomness source), but:

• Ethereum’s RANDAO is vulnerable to last-revealer manipulation (attacker can reroll by withholding reveal)
• VDFs were proposed as a fix in early Ethereum 2.0 research (Vitalik, Justin Drake)
• If VDFs are deployed as part of randomness improvement proposals, economic security must be assessed alongside cryptographic security
• VDF-based randomness is used in various L2 protocols and DeFi applications (lotteries, committee selection, randomized ordering)

Connection to MEV

VDF-based randomness is proposed for:

• Fair ordering mechanisms (reducing frontrunning via randomization)
• Validator selection (reducing proposer-MEV correlation)
• DeFi lotteries and auctions (randomness manipulation = MEV)

In all cases, the economic security framework is essential: the VDF delay must be calibrated to the expected MEV value at stake, not just to cryptographic hardness.

Related Pages

• Post-Quantum Cryptography for Ethereum — Cryptographic security of consensus layer
• Timing Games and Proof-of-Time — Proposer manipulation of timing for MEV
• Decoupled Consensus: Goldfish, Majorum, and Dynamic Availability — Goldfish + Majorum: randomness and validator selection