On-chain Randomness · on KUB

Randomness your contracts can prove.

Provably-fair randomness as a service for onchain games and finance on KUB. Your users sign once, a keeper settles in seconds, and your contract gets a callback. Every result is recomputable from public chain data. No oracle, no VRF service.

Try a live demo Fairness How it works

Two blocks. One number
nobody could predict.

Your user signs once to commit. A later block's hash, unknowable at that moment, becomes the seed. Then a keeper settles it for free, and the number is just one keccak256 hash anyone can recompute.

01 / Requestyou · sign once
requestCallback(seed)
One signature reserves an id, pins the result to a future block, and escrows a bounty (the gas-scaled fee). No number exists yet, so there is nothing to predict.
02 / Sealthe chain · a future block
blockhash(revealBlock)
Blocks keep mining. When the reveal block lands, its hash becomes the seed. It did not exist at commit time, so no player, dev, or bot could steer it.
03 / Reveala keeper · no signature
keeper → reveal(id)
A keeper (or anyone) reveals once the block exists and claims the escrowed bounty, a self-funding permissionless market. Your user never signs a second time.
keccak256the whole result is one hash, and only the block hash is unpredictable
keccak256( blockhash · id · requester · seed ) 0x9f3ac1…b7e2 19 pick(0, 37)
id, requester and seed are public; the block hash is the only ingredient nobody could predict. Recompute the line above from public chain data and you get the same number, every time. That is what "provably fair" means here.

Atomic grinding is impossible. Because reveal reverts until the next block is mined, an attacker cannot compute the result and revert on a loss inside one transaction. The most common on-chain gambling exploit is closed by construction.

Built to be trusted,
and to be checked.

A primitive that handles value should never overclaim, so we document exactly what it defends and what it does not. It passes 36/36 tests, internal multi-agent passes, and an external hard audit, with no fund-loss bug in the core.

A loser can't dodge
The stake escrows at request; settlement is permissionless (a keeper, the next user, or anyone reveals); on expiry it forfeits. Liveness never depends on one bot.
Atomic-grind proof
Request and reveal cannot share a transaction, so the revert-on-loss attack never reaches the outcome.
Provably fair
Each result is keccak(blockhash, id, requester, seed). Recompute it from public chain data and confirm it was never touched.
No rug, no pause
The only privileged role is the fee recipient (Ownable2Step). It cannot touch randomness, escrows, the fee formula, or pause anything. A leaked owner key risks only future fee revenue.
!
Cap your value
A block producer can bias a single block, the irreducible limit without a real VRF. The honest mitigation is economic: cap the aggregate value per reveal block.
checked live, right now
checking…
scanning KUB blocks…
See the live fairness test →

Inherit one contract.
Write one function.

Inherit EntropyConsumerV21 and implement _onRandomness; the base handles the fee, callback auth, anti-spoof, and a recovery path. Open the full SDK & API reference →

GigaKingMint.sol
// illustrative sketch — full compilable example at /sdk/examples. inherit the SDK base (DurianEntropyV21, KUB chainId 96)
contract GigaKingMint is EntropyConsumerV21 {
    constructor(address e) EntropyConsumerV21(e) {}  // 0xa322…EFdC8

    // user signs ONCE: pay the gas-scaled fee, reserve a future-block roll
    function mint() external payable {
        require(msg.value >= entropy.fee(CB_GAS));
        pending[_roll(seed, CB_GAS)] = msg.sender;
    }

    // a keeper reveals; the base calls you back, grind-proof (paid at request)
    function _onRandomness(uint256 id, uint256 r) internal override {
        _mint(pending[id], pickTier(r));
    }
}
Lottery, 6 digits from one reveal
uint256 r = entropy.reveal(drawId);
uint256 winning = r.digits(6);  // 482917
Roulette, one pocket
uint256 r = entropy.reveal(spinId);
uint8 pocket = uint8(r.pick(0, 37));  // 0 to 36

Function reference

requestCallback(seed, consumer, cbGas)pay the fee, get a callback on reveal (what _roll calls); request(seed) is the free, callback-less path
fee(uint32 cbGas) → uint256the gas-scaled fee to send, at the current gas price
seal(id) · reveal(id) → uint256capture the blockhash (≤256 blk) then settle + callback; revealable anytime once sealed (permissionless, idempotent)
status(uint256 id) → uint80 NONE · 1 WAITING · 2 READY · 3 EXPIRED · 4 FULFILLED
results(uint256 id) → uint256the stored randomness (0 until revealed)
Download the full guide (.md) ↓ Open in browser ↗

SDK files: durian-entropy.js · EntropyConsumerV21.sol · IEntropyConsumer.sol · EntropyLib.sol · examples: CoinFlip / NFT / Roulette

One primitive, every game.

Derive as many independent values as you need from a single reveal with the EntropyLib helper. Each demo draw below commits and then waits for a real future block to seal, so it can't be rushed.

Coin flip
Heads or tails for keeps. Stake escrows on commit, settles a block later.
r & 1 == 0 ? HEADS : TAILS
Lottery
One draw, one number, everyone checks the same fair result.
r.digits(6)
Roulette
European single-zero, fair pocket, no keeper bot required.
r.pick(0, 37)
NFT tiers
Random rarity on mint, grind-proof when you commit first.
r.pick(0, weights)

How good is the randomness?

Every value is keccak256 of a real, unpredictable KUB block hash, so the output is uniformly distributed and nothing the caller controls can bias it. Pick any game and run it hundreds of times from a single block, then watch the distribution level out. The one caveat is economic, not statistical: a block producer can bias a single block, so cap per-round value.

Pick a game, then run 600 draws from one future block.

Draw a number,
live on KUB.

Connect a wallet and the draw runs the live DurianEntropy V2.1 contract: request() then reveal() (the self-serve path, ~0.003 KUB). In production a keeper sends the second transaction, so your users sign once. No wallet? Run a gasless read-only preview.

network KUB Chain · chainId 96
contract0xa322…EFdC8 ↗ · live on KUB
entropyhash of a real future block
DURIAN ENTROPY · LIVE DRAW
0
0
0
0
Connect a wallet to draw on-chain.
🎲 Roulette demo — USDFAKE play money (test) → 📊 Fairness test — live, every block (no gas) →

The details, in full.

Network
KUB Chain · chainId 96
Contract
DurianEntropyV21 · sign-once callback service · the fee recipient is the only privileged role
Address
0xa32236611eC11980B1F15760eB3432f7e25EFdC8 ↗
Fee owner
0x1218…93D5 · receives the protocol fee, transferable (Ownable2Step); no other power
Keeper API
keeper-v21.durianfun.xyz/reveal · settles on-ping ~6s
Interface
requestCallback · seal · reveal · status · fee(cbGas)
Entropy
keccak(blockhash, id, requester, seed)
Settlement
Permissionless · seal within 256 blocks, then reveal anytime · keeper settles ~6s
Fee
Gas-scaled = bounty + protocol (bountyGas 120000 · protocolBps 10000) ≈ 0.016 KUB per callback request (200k cbGas). Bounty reimburses the revealer (self-funding keeper); protocol → treasury. Free request/reveal path also exists.
Compiler
solc 0.8.24 · optimizer 200 · evm paris
Assurance
36/36 tests, internal multi-agent passes, and an external hard audit, with no fund-loss bug in the core
License
Proprietary © Durian (durianfun) · not open source · licensed use of the canonical deployment

Questions, answered
without spin.

Is this a VRF? +
No, and we never call it one. Durian Entropy is blockhash-based commit-reveal randomness, not a cryptographic Verifiable Random Function. It is grind-proof against ordinary users and contracts. The one residual trust assumption, a block producer biasing a single block, is disclosed openly and mitigated with value caps.
How does my user sign only once? +
Your user signs the request. A keeper (the Durian keeper, the next user via self-crank, or anyone) sends the reveal, and your contract gets the callback. There is no on-chain cron, so the second transaction always needs a sender; the keeper is that sender, and your frontend falls back to a user-signed reveal if the keeper is ever down.
Is it safe to use with real value? +
Yes, for the vast majority of on-chain games and randomized mints, when you cap the aggregate value resting on one reveal block. Atomic grinding is impossible by construction, and a losing player cannot dodge (stake escrows at request; settlement is permissionless; expiry forfeits). Very high-stakes outcomes would want a real VRF, and none exists on KUB today.
What does it cost? +
The callback service charges a small gas-scaled fee per request, roughly 0.016 KUB at 200k callback gas, routed to the treasury. A free, callback-less request/reveal path also exists for self-serve integrators. The caller and keeper pay their own gas.
Has it been audited? +
It passes 36/36 tests, internal multi-agent adversarial passes, and an external hard audit with no fund-loss bug in the core (the only confirmed finding was a deploy-time cap-sizing note in a reference consumer, now a required parameter). Every result is recomputable on-chain. We will not claim a formal firm audit until one exists.
What if no one reveals in time? +
A seal captures the blockhash within the 256-block window in one cheap transaction; after that, reveal (and claim) can happen anytime, with no deadline. If nobody seals within the window the request expires and the stake is forfeit, never refunded or re-rolled. In production a keeper seals in ~6s, so a winner can claim whenever.

The randomness layer for onchain finance on KUB.

Open the SDK reference → Download the guide (.md) ↓ View on KUBScan ↗
↓ Guide.md