September 11th, 2023
The gaming industry has experienced an astonishing surge in growth in recent years, with the GameFi sector alone reaching a staggering valuation of $9 billion in 2021. Projections suggest that this figure will skyrocket to a whopping $38 billion by 2028. While this phenomenal expansion promises immense profits, it also brings forth a growing menace: cyberattacks.
In this dynamic realm of the GameFi Industry, digital assets like ERC-20 Tokens, NFTs, DAOs, and Bridges hold assets worth billions of dollars. The stakes are high, and the implications of a malicious actor successfully breaching any element of a Web3 game, be it the client, server, or smart contracts, are dire. Such an intrusion could lead to the theft of user funds, account lockdowns, or the manipulation of voting capabilities, wreaking havoc on both the organization and its user base.
One recent example of a gaming industry hack involves Poly Network, which experienced a cyberattack in July 2023. A hacker identified a vulnerability in Poly Network's contract, allowing them to create an apparently infinite amount of tokens, including 10M BUSD and approximately 10M BNB tokens on Metis, nearly 100T SHIB on Heco, and different tokens on Polygon, Avalanche, and BNB Chain which is worth around $10 million dollars.
Similarly, in April 2023, a GameFi project called Tales of Elleria suffered an Arbitrum Bridge hack with 140 ETH valued at around $273,000. The hacker divided the stolen funds into four transactions. The exploit was connected to the recover function in the smart contract. As a result of the attack, the ELLERIUM (ELM) token price in the Web3 game dropped by 99%.
Security breaches within these critical facets of Web3 gaming pose a serious threat to the trust and integrity of the entire ecosystem. In this article, we will delve into the challenges faced by the GameFi Industry and explore the essential measures required to safeguard your gaming platform from hackers both during and after the development lifecycle.
When addressing GameFi Security, it is essential to understand different components and potential flaws in this industry. A typical Web3 Game has many different components such as the browser and binary (exe) on the client-side that interact with blockchain-based smart contracts. Client-side security is generally the most overlooked aspect of GameFi.
Game hacks are generally small programs that extend the functionality of a Web3 game, and they exist in the form of an extension or binary program. If an attacker were able to convince a game user to download dangerous add-ons or game hacks that may contain malware, they could potentially steal NFTs, ERC-20 Tokens, or any other type of asset from the game, resulting in the loss of user funds. Additionally, hackers can attack users by approving their on-chain assets like ERC20 Tokens and NFTs on the user's behalf using phishing, which could potentially enable them to steal user funds.
Here are some ways to secure components of GameFi:
Regular Updates: Keep blockchain nodes and infrastructure software up-to-date to patch known vulnerabilities.
Distributed Infrastructure: Utilize a distributed network of nodes to reduce the risk of single points of failure.
Decentralized Identity Solutions: Utilize decentralized identity protocols to give users control over their data.
Zero-Knowledge Proofs: Implement zero-knowledge proofs to verify user identity without revealing sensitive information.
Input Validation: Use strong input validation to avoid client-side attacks like Cross-Site Scripting (XSS).
Code Obfuscation: Use code obfuscation techniques to make reverse engineering more challenging.
Secure Asset Rendering: Ensure in-game assets are rendered securely to prevent tampering.
Social engineering attacks can pose a significant threat to the GameFi ecosystem. GameFi platforms involve the use of valuable assets and currencies, making them attractive targets for malicious actors seeking to exploit human psychology and manipulate users for personal gain. The most common example of this hack targeted CS:GO Inventory in 2022 and stole around $2 million. The attacker gained access to the victim's account and started selling rare skins to public inventories.
In January 2023, Riot Games suffered a data breach due to a social engineering attack, which enabled attackers to gain access to the source code for their popular game League of Legends. The data was subsequently exfiltrated from the company's systems.
This incident highlights the importance of having robust security measures in place to protect against such attacks. GameFi platforms could establish a stronger and more resilient ecosystem through the combination of user education, technical protections, and proactive monitoring, limiting the risks associated with social engineering attacks and encouraging a safer gaming experience for their community.
Secure Coding is the practice of writing high-quality code that minimizes the risk of introducing security vulnerabilities within the smart contract development using software development best practices. However, guaranteeing secure and bug-free code is not exclusively accomplished by smart contract audits or secure coding.
Secure coding requires collaboration between different teams like developers, testers, and security engineers to constantly work together in the software-development cycle to minimize vulnerabilities within Web3 gaming. Secure coding best practices should be applied to all GameFi components, including the binary, browser, and smart contracts, to minimize the risk of Web3 game hacks.
The security of smart contracts or DApps is increased by combining secure coding with smart contract auditing. This eliminates the vast majority of technical vulnerabilities in the early stages of development, resulting in contracts with fewer well-known risks and a high level of maturity.
The Binamars GameFi Hack in 2021 highlighted the importance of secure coding and smart contract auditing in the GameFi Ecosystem. Had the development team had proper knowledge of secure coding, the hack could have been prevented. This incident serves as a reminder to all developers to ensure that contracts are secure and the quality of code is checked before they are deployed to the Blockchain.
During the development lifecycle, developers should be cautious not to hardcode owner private keys or accidentally push undesired secrets to public repos since they might be abused by an attacker to alter the smart contract logic. Hackers can steal user funds or assets from the game, which could be worth millions of dollars.
In 2022, a GameFi project called Gala Games was hacked by the attacker because the proxy admin owner's private keys were accidentally pushed to the Github repository, leading to $4.5 million being stolen from the liquidity pool. That same year, the WonderHero project was hacked due to a leak of private keys, resulting in the theft of $30 million worth of WND tokens. To avoid such incidents, developers should never push keys, passwords, tokens, or secrets publicly to repositories or encode them within their DApps.
This section will discuss the best practices developers can implement to secure their GameFi Apps or Smart Contracts. There are various features such as multi-signature wallets, multi-factor authentication, encryption, access control, etc., which can be used to prevent Web3 games from various attacks.
Multi-signature wallets can be useful for protecting user assets in cases where private keys have been leaked, as they require multiple signatures to complete a transaction. This prevents attackers from successfully stealing assets, as they would need additional signatures to process the transaction, which would be blocked by the blockchain.
The Solana Wallet hack allowed the hackers to steal funds from 8000 wallets which were worth around $8 million. Attackers somehow gained access to private keys, allowing them to forge malicious transactions leading to the loss of user funds. The reason for this hack was the lack of implementation of multi-signature wallets. This made it easier for the hackers to steal the private key, suggesting a third-party comprise which lead to a supply-chain attack.
In 2022 alone, hackers have stolen assets worth $3.8 billion, the most in blockchain history. This has highlighted the importance of implementing a Bug Bounty Program to protect against potential Defi hacks. The necessity of the Bug Bounty Program has become more pressing than ever due to the potential risks and reputational losses organizations may face.
The Ronin Network recently launched a bug bounty program with rewards of up to $1 million for whitehat security experts after being hacked. LayerZero and Immunefi have also collaborated to launch the world’s largest bounty program, offering rewards of up to $15 million.
A bug bounty program increases the probability that potential security vulnerabilities are reported and patched by customers, preventing the loss of users' funds. The success of running a bug bounty program also depends on how fast the program team acts on the vulnerability, the speed of patching, and how well researchers are getting rewarded for their research.
By 2022, Immunefi had paid out rewards worth $52 million and helped protect $25 billion in assets thanks to the work of whitehats. This demonstrates how important of a role the bug bounty program plays when considering the increase in modern-day Defi hacks.
Implementing adequate security measures and responding to incidents has become essential for security teams in light of the rise of GameFi attacks. This is a crucial task for security teams because it enables them to track, monitor, and halt any malicious behavior inside the game as well as proactively detect and become ready for upcoming GameFi hacks.
Furthermore, integrating security controls such as real-time login monitoring, SIEM, firewalls, network segmentation, vulnerability and patch management in combination with incident response will ensure that GameFi complies with applicable security and data protection regulations, improving its overall security posture.
Consider the Ronin hack as a recent example. It took the project's developers six days to realize that an attack had taken place, only becoming aware when a user complained about being unable to withdraw payments. Had the network been monitored in real-time, the attack might have been detected almost immediately upon the first major, suspicious transaction. Unfortunately, no one noticed the attack for about a week, giving the attacker plenty of time to continue moving cash and hiding their identity. This emphasizes the significance of proactive monitoring, identification, and response to any hostile behavior that might pose a major threat to the organization.
When talking about Cloud Platforms, the biggest challenge from a security standpoint relates to data leaks, which contain large amounts of user records, credentials, logs, etc. Protecting user data is critical to avoid possible exposure.
Companies must prevent their storage services, such as S3, Blob, and Storage, from being publicly available and should use resource tracking to ensure continual monitoring of these services. In July 2022, GoodGamer exposed 380,000 users' records due to publicly exposed S3 buckets which contained emails, phone numbers, money won, and money spent within their accounts.
Companies may use several strategies, such as CI/CD pipelines and frequent configuration reviews, to prevent such data breaches. This will ensure that any secrets, such as access keys, credentials, and tokens are not accidentally pushed, thus preventing any catastrophic compromise of cloud accounts that could lead to complete access to all deployed resources and services.
The best way to prevent GameFi hacks is to ensure that the gaming platform has a comprehensive security program that incorporates the latest security protocols and techniques such as multi-factor authentication, encryption, network, and application security tools in combination with smart contract auditing and a bug bounty program. Gaming companies should also have a solid incident response policy to deal with hacking attempts and ensure that their systems are restored swiftly. Additionally, employees should be educated about the latest GameFi security threats and best practices.
If you’re a traditional or Web3 gaming company looking to keep your platform safe from hackers, get in touch with Halborn today.