Aptos On-Chain Randomness — Pinkas WVUF, DKG, and the State of the Art

By aptos-labs Apr 9, 2026 Feature Progress Importance 10/10 Source

randomnesscryptographyvufdkgaip-41

Aptos On-Chain Randomness: Complete Technical Deep Dive

Aptos provides native on-chain randomness — cryptographically secure, unbiasable random values generated directly by the validator set and available synchronously within Move smart contracts. Defined by AIP-41 (API design) and AIP-79 (cryptographic implementation), this is the most advanced on-chain randomness system deployed on any production blockchain.

Three-Layer Architecture

Layer 1: Distributed Key Generation (DKG)
  Runs once per epoch (~2 hours)
  Validators collectively generate a shared secret via weighted PVSS
  Output: secret key shares distributed to validators

Layer 2: Randomness Generation (per block)
  Validators produce weighted VUF shares for each block
  Shares are aggregated into a single 32-byte seed
  Seed is injected into block_prologue_ext()

Layer 3: Move API (per transaction)
  aptos_framework::randomness module
  Derives per-tx randomness: SHA3-256(DST || seed || tx_hash || counter)
  Counter increments per call within a transaction

The Cryptographic Core: Pinkas Weighted VUF

Aptos uses the Pinkas Weighted Verifiable Unpredictable Function (WVUF) — a novel construction on BLS12-381 pairings. This is NOT a standard threshold BLS signature or a simple VRF. From types/src/randomness.rs:

pub type WVUF = weighted_vuf::pinkas::PinkasWUF;
pub type PK = <WVUF as WeightedVUF>::PubKey;        // G2 dealt public key
pub type SKShare = <WVUF as WeightedVUF>::SecretKeyShare;  // G1 secret shares
pub type ProofShare = <WVUF as WeightedVUF>::ProofShare;   // G2Projective
pub type Evaluation = <WVUF as WeightedVUF>::Evaluation;   // Gt (target group)

The Pinkas WVUF scheme works in five steps:

Key augmentation: Each validator randomizes their DKG-dealt key shares with a random scalar r, producing RandomizedPKs { pi: g^r, rks: [g^(r*sk_i)] }

Share creation: For each block, validators compute H(metadata)^(1/r) where H is hash-to-curve (from crates/aptos-dkg/src/weighted_vuf/pinkas/mod.rs):

fn create_share(ask: &Self::AugmentedSecretKeyShare, msg: &[u8]) -> Self::ProofShare {
    let (r_inv, _) = ask;
    let hash = Self::hash_to_curve(msg);
    hash.mul(r_inv)
}

Share verification: Uses bilinear pairings: e(pi, proof) == e(g, H(msg))
Aggregation: Shares are aggregated using weighted Lagrange coefficients via WVUF::aggregate_shares()
Evaluation derivation: WVUF::derive_eval() produces a Gt element (pairing target group), then SHA3-256(BCS(eval)) gives the final 32-byte seed

From consensus/src/rand/rand_gen/types.rs:

fn aggregate<'a>(
    shares: impl Iterator<Item = &'a RandShare<Self>>,
    rand_config: &RandConfig,
    rand_metadata: RandMetadata,
) -> anyhow::Result<Randomness> {
    let apks_and_proofs = Self::build_apks_and_proofs(&shares_vec, rand_config)?;
    let proof = WVUF::aggregate_shares(&rand_config.wconfig, &apks_and_proofs);
    let eval = WVUF::derive_eval(
        &rand_config.wconfig, &rand_config.vuf_pp,
        metadata_serialized.as_slice(),
        &rand_config.get_all_certified_apk(), &proof,
        THREAD_MANAGER.get_non_exe_cpu_pool(),
    )?;
    let rand_bytes = Sha3_256::digest(bcs::to_bytes(&eval)?).to_vec();
    Ok(Randomness::new(rand_metadata, rand_bytes))
}

Distributed Key Generation (DKG)

The DKG runs once per epoch during reconfiguration. From dkg.move:

struct DKGSessionMetadata has copy, drop, store {
    dealer_epoch: u64,
    randomness_config: RandomnessConfig,
    dealer_validator_set: vector<ValidatorConsensusInfo>,
    target_validator_set: vector<ValidatorConsensusInfo>,
}

The DKG uses weighted PVSS (Publicly Verifiable Secret Sharing) based on the DAS scheme, implemented in crates/aptos-dkg/src/pvss/. It supports both a standard and a "chunky" variant for larger validator sets. The Rust implementation at types/src/dkg/real_dkg/mod.rs uses pvss::das::WeightedTranscript as the core transcript type.

Configuration thresholds from randomness_config.move:

struct ConfigV1 has copy, drop, store {
    // Cannot reconstruct if subset_power/total_power <= this
    secrecy_threshold: FixedPoint64,     // typically ~1/2
    // Guaranteed to reconstruct if subset_power/total_power > this
    reconstruction_threshold: FixedPoint64, // typically ~2/3
}

struct ConfigV2 has copy, drop, store {
    secrecy_threshold: FixedPoint64,
    reconstruction_threshold: FixedPoint64,
    fast_path_secrecy_threshold: FixedPoint64, // for fast path
}

Per-Block Seed Injection

The randomness seed enters the Move VM through the block prologue. From block.move:

fun block_prologue_ext(
    vm: signer,
    hash: address, epoch: u64, round: u64,
    proposer: address,
    failed_proposer_indices: vector<u64>,
    previous_block_votes_bitvec: vector<u8>,
    timestamp: u64,
    randomness_seed: Option<vector<u8>>
) {
    // ...
    randomness::on_new_block(&vm, epoch, round, randomness_seed);
}

Without the randomness feature enabled (old block_prologue), the seed is option::none(), and any randomness API call will abort.

Per-Transaction Derivation

From randomness.move — the core derivation function:

const DST: vector<u8> = b"APTOS_RANDOMNESS";

fun next_32_bytes(): vector<u8> acquires PerBlockRandomness {
    assert!(is_unbiasable(), E_API_USE_IS_BIASIBLE);
    let input = DST;
    let seed = *randomness.seed.borrow();
    input.append(seed);                              // block seed
    input.append(transaction_context::get_transaction_hash()); // tx hash
    input.append(fetch_and_increment_txn_counter());  // call counter
    hash::sha3_256(input)
}

This ensures that:

Different blocks get different randomness (different seeds)
Different transactions within a block get different randomness (different tx hashes)
Multiple calls within a transaction get different randomness (incrementing counter)

The Move API

The aptos_framework::randomness module exposes:

Function	Description
`u8_integer()` through `u256_integer()`	Uniform random integers of each size
`u8_range(min, max)` through `u256_range(min, max)`	Uniform random in [min, max)
`bytes(n)`	Generate n random bytes
`permutation(n)`	Random permutation of [0, 1, ..., n-1] via Fisher-Yates

Usage requires the #[randomness] annotation on a private entry function:

#[randomness]
entry fun roll_dice(player: &signer) {
    let result = aptos_framework::randomness::u64_range(1, 7);
    // result is uniformly random in {1, 2, 3, 4, 5, 6}
}

Anti-Bias Security

The #[randomness] annotation is enforced by the native is_unbiasable() function in aptos-move/framework/natives/src/randomness.rs:

pub struct RandomnessContext {
    txn_local_state: Vec<u8>,  // 8-byte counter
    unbiasable: bool,           // set by VM based on annotation
}

pub fn is_unbiasable(
    context: &mut SafeNativeContext, ...
) -> SafeNativeResult<SmallVec<[Value; 1]>> {
    let is_unbiasable = context.extensions().get::<RandomnessContext>().is_unbiasable();
    Ok(smallvec![Value::bool(is_unbiasable)])
}

This prevents the test-and-abort attack: a user calling a public randomness function, checking the result, and aborting if unfavorable. Since the entry function must be private, the user cannot wrap it in their own abort logic.

Additionally, randomness_api_v0_config.move provides a RequiredGasDeposit to pre-charge maximum gas, mitigating undergassing attacks where users set gas limits that only allow favorable code paths to complete.

The RandManager: Consensus Integration

The RandManager in consensus/src/rand/rand_gen/rand_manager.rs orchestrates the per-block randomness generation pipeline:

Block is ordered by consensus
RandManager broadcasts a RequestShare to all validators via reliable broadcast
Each validator computes their WVUF proof share and responds
Shares are collected in RandStore until the reconstruction threshold is met
Shares are aggregated into a Randomness value
The randomness seed is included in the block metadata

From the RandManager struct:

pub struct RandManager<S: TShare, D: TAugmentedData> {
    author: Author,
    epoch_state: Arc<EpochState>,
    rand_store: Arc<Mutex<RandStore<S>>>,
    aug_data_store: AugDataStore<D>,
    block_queue: BlockQueue,
    reliable_broadcast: Arc<ReliableBroadcast<RandMessage<S, D>, ExponentialBackoff>>,
    // ...
}

Comparison: Every Other Chain

Property	Aptos (Pinkas WVUF)	Chainlink VRF	Solana	Sui (drand)	Ethereum RANDAO
Native	Yes	No (oracle)	Yes	No (external)	Yes
Latency	Same-tx (~200ms)	2+ blocks (~24s)	Same-tx	1+ round (~3s)	Same-block
Cost	Gas only	~$10+ per req	Gas only	Gas only	Free
Unbiasable	Yes (WVUF)	Yes (VRF)	No	Yes (tBLS)	No (last-revealer)
Unpredictable	Yes	Yes	No	Yes	Partial
Synchronous API	Yes	No (callback)	Yes	No	N/A
Security model	PoS validators	Oracle operators	Leader trust	drand committee	PoS validators
Weighted	Yes (by stake)	No	No	No	No

Chainlink VRF (Ethereum/Multi-chain)

Chainlink VRF uses a standalone Verifiable Random Function with a commit-reveal pattern. A user submits a request in transaction 1, Chainlink node operators compute the VRF output off-chain, then submit the result in transaction 2 via a callback. Latency is 2+ blocks (~24 seconds on Ethereum L1), cost is ~$10+ per request, and security relies on trusting Chainlink node operators — a completely separate trust assumption from the chain's own validators.

Solana (SlotHashes / recent_blockhash)

Solana has no true randomness primitive. Developers use recent_blockhash or SlotHashes as pseudo-random seeds. These are trivially manipulable: the block producer (leader) can choose to skip their slot to change the hash, biasing any randomness derived from it. There is no VRF, no threshold cryptography, no verifiability.

Sui (drand-based)

Sui integrates the drand beacon (League of Entropy) for randomness. drand uses threshold BLS signatures across a committee of independent operators. The randomness is unbiasable and unpredictable, but it is external to Sui's own validator set. If the drand network experiences issues, Sui's randomness stops. The API is also not synchronous — contracts must wait for the next drand round.

Ethereum RANDAO

The Ethereum beacon chain uses RANDAO — an XOR of validator RANDAO reveals during block proposals. This suffers from the last-revealer bias: the last validator to reveal can choose to withhold their reveal (forfeiting their block reward) to bias the XOR output. The cost of manipulation is one block reward, which may be economically rational for high-value applications.

Web2 Comparison

On-chain randomness is a fundamentally different category from Web2 randomness:

Intel RDRAND: CPU thermal noise, ~100ns per value, not verifiable by third parties
/dev/urandom: OS-level CSPRNG (ChaCha20), fast but single-machine, not distributed
Random.org: Atmospheric noise, centralized trust, not adversarial-resistant

On-chain randomness must be distributed (no single party knows the output), publicly verifiable (anyone can check correctness), deterministic (for consensus), and adversarially secure (malicious participants cannot bias output). Hardware RNG solves a strictly easier problem.

Is Aptos State of the Art?

Yes. Aptos has the most advanced production on-chain randomness system as of April 2026:

Only chain with weighted VUF: The Pinkas WVUF respects stake weight, meaning security is proportional to stake — not just validator count
Only chain with same-transaction unbiasable randomness: Chainlink VRF is unbiasable but asynchronous. Solana is synchronous but biasable. Only Aptos is both.
Native DKG: The DKG is built into the consensus protocol itself — not an external system like drand
Provable security: Security reduces to the hardness of the BLS12-381 pairing assumption under the same PoS threshold that secures the chain
Developer UX: A single #[randomness] annotation and one function call — no oracle subscriptions, no callback patterns, no external dependencies

Key Contributors

Contributor	Role
Alin Tomescu (alinush)	aptos-dkg crate, Pinkas WVUF, cryptographic primitives
Daniel Xiang (zhuolun-xiang)	Consensus integration, randomness pipeline
Balaji Arun (ibalajiarun)	RandManager, DKG manager, reliable broadcast

Key Source Files

aptos-move/framework/aptos-framework/sources/randomness.move — Move API (642 lines)
aptos-move/framework/aptos-framework/sources/dkg.move — DKG on-chain state
aptos-move/framework/natives/src/randomness.rs — Native function implementations
consensus/src/rand/rand_gen/types.rs — Share creation, verification, aggregation
consensus/src/rand/rand_gen/rand_manager.rs — Per-block randomness orchestration
crates/aptos-dkg/src/weighted_vuf/pinkas/mod.rs — Pinkas WVUF (core crypto)
crates/aptos-dkg/src/weighted_vuf/traits.rs — WeightedVUF trait definition
types/src/randomness.rs — Core type aliases

Deep Comparison: Why Aptos Randomness Is Superior

The summary table above provides a quick overview, but the real story is in the details. This section dissects every major competitor — Solana, Sui, Ethereum RANDAO, Chainlink VRF, Pyth Entropy, API3 QRNG, and RedStone — and explains precisely why Aptos on-chain randomness is the state of the art.

Solana: Fundamentally Broken Randomness

Solana has no native randomness primitive. Developers resort to three approaches, all of which are insecure:

1. SlotHashes / recent_blockhash (The Common Mistake)

The SlotHashes sysvar stores 32-byte SHA-256 hashes from Solana's Proof-of-History mechanism for each of the most recent 512 slots. Many developers use recent_blockhash or slot hashes as pseudo-random seeds. This is trivially exploitable:

Deterministic values: Slot hashes are computed from PoH tick sequences, transaction data, and block metadata — all of which are known to the current leader before the block is finalized
Leader manipulation: The block producer (leader) controls transaction ordering within their slot. By reordering, including, or excluding transactions, they can change the slot hash and thus any "randomness" derived from it
Client-side simulation: Users can simulate transactions locally against the current state, predict which slot hashes will produce favorable outcomes, and only submit during those slots. This turned NFT mints with "random" trait assignment into deterministic farming operations
MEV exploitation: Searchers and validators with Jito or similar MEV infrastructure can front-run randomness-dependent transactions, observe the outcome, and sandwich or reorder to extract value

2. The "Last Leader" Problem

Solana assigns leaders to consecutive 4-slot sequences. A validator who is the last leader before a randomness-consuming transaction can influence the outcome by choosing whether to produce a block or skip their slots. If the leader skips, the next leader must create PoH entries for the skipped slots, changing all downstream hashes. The cost of skipping is just the foregone block rewards and tips for those 4 slots — potentially rational for high-value randomness outcomes like large NFT mints or DeFi liquidations.

This is a weaker version of Ethereum's RANDAO last-revealer bias, but on Solana it affects every application using slot-derived randomness, which is most of them.

3. Switchboard VRF / ORAO VRF (Oracle Workarounds)

To address native randomness's failings, Solana developers use oracle-based VRF services:

Switchboard VRF v2: Uses Ed25519-based VRF with oracle nodes. Cost was initially 0.1 SOL per request, reduced to ~0.002 SOL. Requires a callback pattern — request in one transaction, receive result in another — adding at least one block of latency (~400ms). The oracle operator is a single point of trust for each request.
Switchboard v3 (TEE-based): Moved to Intel SGX trusted execution environments. Claims sub-100ms latency via WebSocket streaming. The security model now depends on Intel SGX not being compromised — a weaker assumption than cryptographic threshold schemes, given SGX's history of side-channel attacks (Foreshadow, Plundervolt, SGAxe).
ORAO VRF: Another Solana VRF oracle, similar callback pattern, similar trust assumptions.

Bottom line: Solana developers must choose between (a) insecure native randomness that is trivially manipulable, or (b) oracle-based VRF that introduces external trust assumptions, callback latency, and per-request fees. Neither option provides same-transaction, unbiasable, trust-minimized randomness.

Sui: Native Randomness With Caveats

Sui deserves credit for implementing native validator-based randomness — making it, alongside Aptos, one of only two chains with randomness generated by validators using threshold cryptography rather than external oracles. However, there are meaningful differences:

Architecture

Sui's implementation uses a DKG protocol at each epoch to distribute secret shares among validators, who then produce randomness for each checkpoint. The randomness is generated in parallel with consensus — validators produce their shares after a transaction is ordered but before execution. The sui::random module at reserved address 0x8 provides the Move API.

Where Sui Falls Short vs. Aptos

No weighted VUF: Sui uses standard threshold BLS signatures for randomness generation. This treats all participants in the threshold scheme equally during aggregation. In a PoS network, this is a mismatch — a validator with 10% of stake should have proportionally more influence on the security guarantee than one with 0.1%. Aptos's Pinkas WVUF weights each validator's contribution by their stake, so the security threshold is measured in stake fraction, not validator count.
Historical drand dependency: Sui originally planned to use the drand beacon (League of Entropy) as its randomness source. drand is an external threshold BLS beacon run by a committee of organizations (Cloudflare, Protocol Labs, etc.). While Sui later moved to native validator-based randomness, the drand dependency remains in the codebase and documentation for compatibility. The drand testnet experienced a 45-minute outage on February 21, 2024, when API incompatibilities and node operator errors caused enough nodes to go offline that the network fell below its threshold — illustrating the fragility of external randomness dependencies.
Different anti-manipulation model: Sui relies on Move's type system and Programmable Transaction Block restrictions to prevent manipulation. Aptos uses the #[randomness] annotation enforced at the VM level with a dedicated RandomnessContext that tracks the unbiasable flag and a per-transaction counter. Additionally, Aptos implements a RequiredGasDeposit mechanism that pre-charges maximum gas to prevent undergassing attacks — a subtlety that Sui's documentation does not address.
No per-call counter isolation: Aptos derives per-call randomness as SHA3-256(DST || block_seed || tx_hash || counter), where the counter increments with each randomness::* call within a transaction. This guarantees that multiple randomness calls in the same transaction receive independent values, with a formal domain separation tag ("APTOS_RANDOMNESS").

Bottom line: Sui has competent native randomness, but Aptos's implementation is more cryptographically sophisticated (weighted VUF vs. threshold BLS), has stronger anti-manipulation protections (undergassing prevention, VM-enforced annotations), and has been in production longer.

Ethereum RANDAO: Biasable by Design

Post-Merge Ethereum uses RANDAO for in-protocol randomness. Each block proposer mixes a BLS signature of the epoch number into a running XOR accumulator:

new_randao = old_randao XOR BLS_sign(proposer_key, epoch)

The fundamental weakness is the last-revealer bias: the final proposer in an epoch (or any sequence of consecutive slots they control) can observe the accumulated RANDAO value, compute what the final value would be with their contribution, and choose to skip their proposal if the result is unfavorable. The cost is one missed block reward (~0.05 ETH at current rates), which is economically rational to sacrifice for any randomness-dependent outcome worth more than that.

With 32 consecutive slots per epoch and probabilistic assignment, validators with large stake can sometimes control 2-3 consecutive proposals, giving them multiple bits of bias. This makes RANDAO unsuitable for high-value applications — which is why the Ethereum community universally recommends Chainlink VRF for anything security-critical.

Aptos advantage: The Pinkas WVUF is algebraically unbiasable. A validator who withholds their share simply delays randomness generation until enough other shares arrive — they cannot influence the output value. The WVUF evaluation is deterministic given any sufficient subset of shares.

Chainlink VRF v2.5: Secure but Slow, Expensive, and Awkward

Chainlink VRF is the most widely used randomness oracle in crypto, and it is cryptographically secure — the VRF construction guarantees unbiasability and unpredictability. But it has severe practical limitations:

The Callback Pattern

Chainlink VRF requires a two-transaction flow:

Request: Your contract calls requestRandomWords(), which emits a log event
Wait: Chainlink node operators see the event, compute the VRF proof off-chain, and submit a fulfillment transaction
Callback: Your contract's fulfillRandomWords(requestId, randomWords) is called with the result

This asynchronous pattern forces developers to split their logic across two functions, manage request IDs, handle the case where the callback never arrives, and deal with state that may have changed between request and fulfillment. For a dice game, this means: user clicks "roll" → waits 2+ blocks → result appears. The UX is fundamentally worse than Aptos's synchronous randomness::u64_range(1, 7).

Cost

Chainlink VRF v2.5 charges a percentage-based premium on top of the callback gas cost, payable in LINK or native token. On Ethereum L1, a single VRF request costs $10-30+ depending on gas prices. On L2s like Arbitrum or Base, costs drop to $0.10-0.50, but the architectural overhead remains. Developers must either maintain a LINK-funded subscription or use direct funding, both requiring treasury management and monitoring.

Aptos cost: Zero beyond normal transaction gas. No subscription. No LINK tokens. No premium fees.

Latency

Chainlink VRF v2.5 targets ~2-second end-to-end latency under optimal conditions, but real-world latency is typically 1-3 blocks on the target chain. On Ethereum L1, this means 12-36 seconds. On faster L2s, it can be 2-6 seconds. This is still fundamentally asynchronous — there is always a gap between request and fulfillment.

Aptos latency: Zero additional latency. Randomness is available in the same transaction, within the same function call. Total transaction finality is ~200ms.

Trust Model

Chainlink VRF security depends on trusting the Chainlink node operator network — a completely separate set of entities from the chain's own validators. You are adding a second trust assumption on top of the chain's consensus. If Chainlink's node operators collude or go offline, your application's randomness stops working regardless of the base chain's health.

Pyth Entropy: Better Than Chainlink, Still Not Native

Pyth Network, known primarily as a price oracle, launched Entropy — a randomness service using a two-party commit-reveal protocol. As of 2025, Entropy v2 is live on 15+ EVM chains with over 10 million requests served.

How Entropy Works

User generates a random number locally, computes its hash (commitment), and submits it on-chain along with a fee
Pyth's provider also has a pre-committed random number for that sequence number
After a configurable reveal delay (to handle block reorgs), Pyth's keeper submits the provider's random number
The final randomness is derived by combining both parties' random numbers — neither party alone can predict or bias the output

Limitations

Still asynchronous: Like Chainlink, Entropy requires a callback pattern. Request in one transaction, receive result in another. The reveal delay adds additional blocks of latency beyond the minimum.
Two-party trust model: Security relies on the user and Pyth's provider not colluding. If the provider sees the user's commitment and can predict or influence which random number to reveal, the scheme breaks. In practice, the provider uses pre-committed values (a hash chain), but this is still a weaker guarantee than threshold cryptography among dozens of validators.
Per-request fees: Entropy charges a provider fee plus a protocol fee (subject to Pyth DAO governance) on top of gas costs. The fees are denominated in native tokens and vary by chain, determined dynamically via entropy.getFeeV2().
External dependency: If Pyth's keeper network goes down or the provider fails to reveal, your application's randomness stalls. There is no fallback.

Credit where due: Entropy's commit-reveal is simpler and cheaper than Chainlink VRF, and the two-party model provides reasonable security for most applications. But it remains an oracle service with external dependencies, callback latency, and per-request costs — all things Aptos eliminates.

API3 QRNG: Quantum Theater

API3 QRNG markets itself as "quantum random number generation" for blockchains, sourcing entropy from the Australian National University's (ANU) quantum vacuum fluctuation measurements.

The Reality

It is an oracle, not a quantum computer on-chain: ANU measures quantum vacuum noise in their lab, produces random numbers, and API3 relays those numbers to smart contracts via their first-party oracle (Airnode) infrastructure. The randomness quality is excellent — genuinely quantum-derived — but the delivery mechanism is a standard oracle callback.
Trust model: You must trust (a) ANU's quantum measurement apparatus, (b) API3's Airnode relay infrastructure, and (c) that the Airnode operator is faithfully relaying the quantum numbers without substitution. The "quantum" part does not help with the trust problem — it only ensures the numbers are truly random at the source, not that they arrive unmanipulated.
Callback latency: Same asynchronous request-callback pattern as Chainlink VRF. Request in one transaction, receive quantum random number in a later transaction.
Limited chain support: Available on ~13 chains, none of which include Solana or Sui. Not available on Aptos.
Free (gas only): API3 does not charge per-request fees for QRNG, which is a genuine advantage over Chainlink VRF's pricing. However, you still pay callback gas.

The quantum marketing is irrelevant to the security problem. On-chain randomness does not need quantum-derived entropy — it needs distributed, unbiasable, verifiable entropy. A threshold VUF among 100+ validators provides stronger guarantees than a single quantum source relayed through an oracle, because the security depends on the delivery and verification mechanism, not the entropy source.

RedStone: Wrong Category Entirely

RedStone is a price oracle, not a randomness oracle. It appears in randomness discussions because of its headline "10ms updates" — specifically, RedStone Bolt, which delivers price feed updates every 2.4 milliseconds on MegaETH's testnet.

What RedStone Actually Does

Price feeds: Aggregates price data from 50+ sources (Binance, Coinbase, Uniswap, etc.) across 100+ blockchains
Pull-based model: Unlike Chainlink's push oracles, RedStone uses a "pull" model where price data is attached to user transactions as calldata, reducing costs by not requiring separate oracle update transactions
RedStone Bolt: A specialized ultra-low-latency push oracle for MegaETH (10ms block times). Delivers 400+ price updates per second. Currently testnet-only.

Why This Is Not Randomness

Price feeds and randomness solve completely different problems:

Price feeds relay a known, observable real-world value (e.g., ETH/USD = $3,200) — the goal is accuracy and freshness
Randomness generates an unknown, unpredictable value — the goal is unpredictability and unbiasability

You cannot derive secure randomness from price feeds. Price movements are partially predictable (especially at millisecond timescales), subject to manipulation (wash trading, spoofing), and observable by the oracle operator before on-chain delivery. Using price feed updates as a randomness source would be even worse than Solana's SlotHashes approach.

RedStone does not offer a randomness product. Including it here is only to clarify that fast price oracles and on-chain randomness are fundamentally different infrastructure.

The Seven Reasons Aptos Wins

Combining all the analysis above, here is why Aptos on-chain randomness is technically superior to every alternative:

#	Property	Aptos	Best Competitor	Why It Matters
1	Synchronous	Same transaction, same function call	Sui (same tx, but post-ordering)	No callback patterns, no request IDs, no split logic. One line: `randomness::u64_range(1,7)`. Every oracle-based solution (Chainlink, Pyth, API3) requires async callbacks.
2	Unbiasable	Algebraic (WVUF)	Chainlink VRF (computational VRF)	Withholding a share delays but cannot bias the output. Solana is trivially biasable. Ethereum RANDAO has last-revealer bias costing only ~0.05 ETH to exploit.
3	No external dependency	Validator-native	Sui (also validator-native)	Chainlink, Pyth, API3 all add a second trust layer. If the oracle network goes down, randomness stops — regardless of chain health.
4	Weighted by stake	Pinkas WVUF	None	Aptos is the only chain where the randomness security threshold is measured in stake fraction. Standard threshold BLS (Sui, drand) treats all shares equally, mismatching PoS economics. A validator with 10% of stake contributes 10% of the security guarantee.
5	Gas-only cost	Zero additional fees	API3 QRNG (also free), Sui (gas only)	Chainlink VRF costs $10-30 per request on Ethereum L1. Pyth Entropy charges provider + protocol fees. On Aptos, randomness is a free primitive like addition or hashing.
6	VM-enforced anti-manipulation	`#[randomness]` + `RequiredGasDeposit`	Sui (PTB restrictions)	The Move VM refuses to execute randomness functions from non-annotated entry points — preventing test-and-revert attacks at the infrastructure level, not the application level. The gas deposit mechanism additionally prevents undergassing attacks where users set gas limits to only allow favorable code paths to complete.
7	Per-call uniqueness	`SHA3-256(DST \|\| seed \|\| tx_hash \|\| counter)`	Sui (similar derivation)	Formal domain separation with "APTOS_RANDOMNESS" DST. Incrementing counter guarantees independence across multiple calls within a single transaction. The derivation is deterministic and verifiable.

Summary: The Competitive Landscape

Solution	Type	Synchronous?	Unbiasable?	Native?	Weighted?	Cost	Verdict
Aptos WVUF	Native threshold	Yes	Yes	Yes	Yes	Gas only	Best in class
Sui Random	Native threshold	Yes	Yes	Yes	No	Gas only	Strong, lacks WVUF
Chainlink VRF v2.5	Oracle VRF	No	Yes	No	No	$10-30+ (L1)	Secure but slow/expensive
Pyth Entropy v2	Oracle commit-reveal	No	Yes	No	No	Provider + protocol fee	Simpler than VRF, still async
API3 QRNG	Oracle quantum	No	Yes*	No	No	Gas only	Marketing > substance
Ethereum RANDAO	Native accumulator	Yes	No	Yes	No	Free	Biasable, unsuitable
Solana SlotHashes	Native hash	Yes	No	Yes	No	Free	Trivially exploitable
Switchboard VRF	Oracle TEE	No	Depends*	No	No	~0.002 SOL	SGX trust assumption

* API3 QRNG is unbiasable at the source but relies on oracle delivery trust. Switchboard v3 security depends on SGX enclave integrity.

Aptos occupies a unique position: it is the only blockchain that simultaneously provides synchronous access, algebraic unbiasability, stake-weighted security, zero additional cost, and VM-enforced anti-manipulation — all without any external dependency. No other chain or oracle service achieves all of these properties together.

ELI5 — Explain Like I'm 5

The Big Picture: Imagine you and your friends want to flip a coin, but nobody trusts anyone else to do the flipping. What if one person flips and says "heads" — how do you know they are telling the truth? And what if they peeked at the coin mid-air and changed their call?

What Aptos Does: Aptos solved this problem for blockchains. Instead of one person flipping the coin, ALL the validators (the computers running the network) each secretly create a piece of a random number. No single piece is useful on its own — you need enough pieces combined to reveal the actual random number. Once enough pieces arrive, the number appears, and nobody could have predicted or changed it.

The Coin Flip Analogy: Think of it like this — imagine 100 people each write a secret number on a piece of paper and lock it in a box. Nobody can open anyone else's box. Then a special math formula combines all the locked numbers into one final number. No single person knew what the final number would be. No single person could change it. And everyone can verify the math was done correctly. That is what Aptos randomness does — except with fancy cryptography (called a Pinkas Weighted VUF) instead of paper and boxes.

Why This Is Better Than Everything Else:

vs. Solana: On Solana, the block producer can literally choose which random number you get by reordering transactions or skipping their slot. There is no real randomness — just predictable hashes that anyone can game. NFT mints on Solana have been farmed this way.
vs. Ethereum: Ethereum uses something called RANDAO, where the last person to contribute can cheat by choosing not to participate if the result is unfavorable. The cost to cheat is just one block reward (~$160).
vs. Sui: Sui also has validator-based randomness (good!), but it treats every validator equally regardless of how much stake they have. Aptos weighs each validator's contribution by their stake, which is more secure and matches how proof-of-stake actually works.
vs. Chainlink VRF: Chainlink gives you secure randomness, but you have to wait for a separate company's computers to respond (12-36 seconds on Ethereum), pay $10-30 per request, and write your code in a complicated two-step "request then callback" pattern. On Aptos, you just call one function and get the answer instantly.
vs. Pyth/API3: These are oracle services — external companies that send random numbers to your contract. If their service goes down, your randomness stops. On Aptos, randomness is built into the chain itself.

How Developers Use It: A developer just writes #[randomness] above their function and calls randomness::u64_range(1, 7) to get a dice roll. That is it. One line of code for a provably fair random number — something that used to require entire oracle networks, callback patterns, and per-request payments.

What You Learned: You just learned about on-chain randomness — how Aptos uses advanced cryptography to let smart contracts generate truly fair random numbers without trusting anyone, faster and cheaper than any other blockchain. It is the only chain where randomness is instant, free, unbiasable, and weighted by stake — all at once.

Related Systems

On-Chain RandomnessDKGEncrypted MempoolBaby Raptr Consensus

Other Deep Dives

View this report interactively with Advanced / ELI5 tabs at https://aptos-intelligence.vercel.app/#randomness-deep-dive. Plain-text version: /reports/randomness-deep-dive.txt.