SHERWOOD

Fairness & randomness

How the winning square is drawn, and how to verify it yourself.

The winning hideout must be unpredictable AND unmanipulable — by players, by us, and by the chain's sequencer. Sherwood uses a commit-reveal scheme layered on the block hash.

How a draw is made

While a round is still open, a keeper commits keccak256(secret)on-chain — locking in a secret nobody can see. Bets close. Then the round's entropy block is fixed. Finally the keeper reveals the secret and the contract computes:

winningSquare = keccak256(blockHash, secret, roundId) % 30

The secretwas fixed before bets closed (so the keeper couldn't react to bets); the block hash was unknown when the secret was committed (so the keeper couldn't pick a favorable secret). Biasing the outcome would require the keeper AND the sequencer to collude.

If a keeper ever withholds a reveal to dodge a bad outcome, anyone can call draw() after a 40-block window — it voids the commitment and re-draws against a fresh, unknown block. Withholding only forces a blind re-roll; it never lets anyone choose between two known outcomes.

Verify any past round

Every finalized round publishes its winning square and entropy block on-chain. Punch in a round number to read them straight from the contract:

The roadmap to trustless

Commit-reveal removes the single-operator risk today. For mainnet we verified the chain supports the BLS12-381 precompiles needed for drand — the public randomness beacon run by the League of Entropy — which removes trust in us entirely.