Rob Behnke
May 22nd, 2023
GameFi is a genre of blockchain-based gaming and decentralized finance that encompasses various models, including Play-to-Earn (P2E), Play-and-Earn, and Pay-to-Play. These models leverage the video gaming experience to enable players to earn token rewards or participate in different ways within the GameFi ecosystem. Players in the traditional gaming space spend amounts of time playing games that do not profit them directly. Furthermore, the practice of spending excessive amounts of money on in-game assets that cannot be used outside of the game may not align with everyone's preferences.
However, the GameFi project has emerged as a promising solution to this issue, gaining significant popularity and adoption, particularly within the Web3 space.
The security of Web3 games is crucial for the protection of players' investments, personal data, and overall gaming experience. Here are some key reasons why game security in Web3 is of utmost importance:
Player Protection: GameFi security is essential for safeguarding the interests of players. In GameFi projects, players may invest their time, effort, and sometimes even real-world money to earn rewards, level up their characters, or acquire valuable in-game assets. GameFi security measures such as smart contract audits, encryption of user data, and protection against cheating or scams can help ensure that players' investments are secure and their assets are safe from unauthorized access or manipulation. We will learn more about these during the course of this article.
Trust and Confidence: Trust is a critical factor in the success of any game, especially in the GameFi space, where players' financial investments are at stake. When players have confidence in the security measures of a GameFi project, they are more likely to participate, invest, and engage in the game ecosystem. On the other hand, security breaches or vulnerabilities can result in a loss of trust, damage the reputation of the game, and deter players from participating.
Compliance and Legal Requirements: GameFi projects are subject to various regulatory and legal requirements, including data privacy, counter terrorism financing (CFT), anti-money laundering (AML), and know-your-customer (KYC) regulations. Compliance with these regulations is crucial to avoid legal consequences and maintain the integrity of the game ecosystem. Adequate game security measures can help ensure compliance with these regulations and protect the project from potential legal issues.
Economic Impact: GameFi projects often involve the use of cryptocurrencies or digital assets as rewards or in-game currencies. These digital assets can have significant economic value, and any security breach or vulnerability can result in financial losses for players, game developers, and other stakeholders. Robust game security measures, including secure storage of digital assets, defense mechanisms against hacking or theft, and robust authentication mechanisms, are essential to safeguard the economic value of the game ecosystem.
Given that GameFi as a technology is centered around finance, it is bound to get exploited by malicious actors seeking profit or challenge. The security vulnerabilities facing GameFi can be categorized into on-chain and off-chain challenges. Let’s explore them one after the other.
On-chain vulnerabilities are the security flaws that exist within the code or logic of a blockchain network, including its smart contracts. These vulnerabilities can potentially be exploited by attackers to gain unauthorized access, manipulate transactions or data, or even disrupt the normal functioning of the blockchain network.
On-chain vulnerabilities can result in various types of attacks, such as theft of digital assets, manipulation of smart contracts, or disruption of consensus mechanisms. Let’s take a look at some of the on-chain vulnerabilities possible in GameFi projects.
Technically, the first target for attacks on any crypto or blockchain project is the smart contract. A popular saying among smart contract developers goes thus: smart contract code is only as smart and secure as the developer who wrote it. What this means is that there can be flaws in a contract’s design based on developer errors such as a programming mistake, incorrect logic, flawed design, or the programmer’s ignorance.
The smart contracts of a blockchain handle the transactions done in the blockchain. Having access to the smart contract means having the power to redirect where transaction properties (assets) go.
Common smart contract vulnerabilities possible on GameFi projects include reentrancy attacks, private key theft, front-running attacks, NFT scams and theft, unchecked external calls, malicious code injection, etc.
Let's briefly look at some of these attacks.
Reentrancy attacks: Reentrancy attacks are as old as Solidity itself. Reentrancy occurs when a smart contract allows external contracts to call it (to send Ether to it through the fallBack function) before the original call is completed.
To aid your understanding, here’s an example:
pragma solidity ^0.8.7;
contract GameFiContract {
mapping(address => uint256) public balances;
function withdraw() public {
uint256 amount = balances[msg.sender];
require(amount > 0, "Insufficient balance");
balances[msg.sender] = 0;
(bool success, ) = msg.sender.call{value: amount}("");
require(success, "Withdrawal failed");
}
}Technically, the withdraw function allows players to withdraw their balances. But if an attacker deploys a malicious contract that calls back into the withdraw function before the previous call completes, they can drain the contract’s funds. For example, the attack that was used to steal crypto assets worth $600,000,000 from the Ronin Network of Axie Infinity, a popular blockchain-based game, was a combination of multiple vulnerabilities, including reentrancy and batchOverflow vulnerabilities
The Ronin Network is a side-chain developed by Axie Infinity to handle transactions for its in-game assets. The attackers exploited a reentrancy vulnerability in the Ronin smart contract that allowed them to repeatedly call back into the contract before the previous call had been completed, effectively draining the contract's funds. They also utilized a batchOverflow vulnerability, which involved manipulating the batch transfer function to overflow the balance of a specific in-game asset, resulting in the creation of additional assets that were then withdrawn from the contract.
NFT attacks: A crucial source of passive revenue for GameFi projects is the creation of their in-game assets as NFTs backed by the ERC-721 token standard on Ethereum. NFTs can be transferred from one account to the other just like crypto tokens, so they are equally valuable and can be targets of attacks by bad actors. Common NFT attack vectors include bugs in the in-game NFT marketplace, NFT swap scams, project rugpulls, Trojan Horse NFTs, impersonations scams, etc.
The Trojan Horse NFT attack, for instance, involves injecting malicious data into the properties of an NFT during a transaction. For demonstrative purposes, it looks like this:
pragma solidity ^0.8.7;
import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
contract MaliciousNFT is ERC721 {
mapping(uint256 => string) public tokenData;
constructor() ERC721("MaliciousNFT", "NFT") {}
function transferNFT(uint256 tokenId, address to, string memory data) external {
// Embed the data into the token by storing it in the tokenData mapping
tokenData[tokenId] = data;
// Transfer the NFT to the recipient
transferFrom(msg.sender, to, tokenId);
}
}Governance mechanisms in blockchains are responsible for making decisions and changes on the blockchain. Vulnerabilities in the DAO governance mechanisms are often targeted to cause centralization, collusion, or manipulation of the decision-making processes. Except the governance mechanism is built from scratch to make it impossible for a single entity to profit from having too many governance tokens, the vulnerability cannot be prevented.
Governance attacks are usually carried out by initially accumulating large quantities of the DAO’s governance tokens like in the Beanstalk protocol. In GameFi projects, like Axie Infinity, players can earn governance tokens that allows them to participate in the development and voting during the decision process of the game. If a single player is able to gather enough governance tokens, they can monopolize decisions on the project, as was the case with Tron founder Justin Sun and Steemit.
Security flaws can stem from mechanisms used to transfer or bridge assets between different blockchains. GameFi projects have transitioned from selecting between Ethereum and Tron as their bridging provider to a host of others like BSC, Avalanche, Solana, and many others as they try to gain a competitive advantage or adopt cheaper/faster alternatives.
The problem with bridging is that attackers can manipulate or forge transactions to gain unauthorized access to assets on the destination chain if the bridging mechanism lacks proper validation or authentication. For example, a malicious actor can manipulate the transaction data or signatures in a cross-chain transaction to bypass authentication checks and illegally obtain assets on the receiving blockchain. The Ronin Network hack was reportedly done on the Ronin Bridge.
The code snippet below explains how a cross-chain bridging attack works:
function transferTokens(address recipient, uint256 amount) public {
require(amount <= balances[msg.sender], "Insufficient balance");
balances[msg.sender] -= amount;
// Vulnerability: No validation and authentication checks for cross-chain transfer.
// Attacker can manipulate the recipient's address or amount.
token.transfer(recipient, amount);
}According to Chainalysis, 69% of total funds stolen in 2022 from crypto projects are from 13 cross-chain bridge hacks. Bridges are targeted mostly because they have a central source of truth for funds that are stored in a smart contract or a centralized platform. Furthermore, there are still technical challenges in implementing a secure bridge design.
Next, let’s look at the potential off-chain vulnerabilities capable of affecting GameFi projects.
Off-chain vulnerabilities refer to the vulnerabilities that can affect a blockchain application from outside of the blockchain itself.
GameFi projects usually comprise off-chain components like the backend logic, the UI, or backend APIs consumed by web/mobile applications deployed on centralized servers off-chain. This means that the vulnerabilities accustomed to Web2 projects are also possible on Web3 projects.
Another instance is the metadata that stores information about an NFT as JSON on a centralized storage site. GameFi projects often have lots of in-game assets to store, and the option of adopting decentralized storage solutions like IPFS is ruled out due to cost. The metadata of NFTs can be tampered with if the storage site is not properly secured.
A more common but often ignored security challenge in the blockchain space in general and GameFi projects, in particular, is scamming. They are social scams that affect the customers and are often instigated by the developers of the project.
The most popular of these scams is the Rug Pull. The Squid Game scam is an example of a rug pull. Another example of a scam is the Ponzi scheme, where old investors or players are paid by requiring new players to play to earn. There are multiple ways to make a P2E GameFi project to be self-sustainable, and one of them is by using newer investors’ money to pay older ones. The downside to this is that someone at the end of the chain must lose.
You can also learn about general security issues in the blockchain space in our prior article here.
The incidents mentioned in this article highlight the importance of thorough security audits and testing of smart contracts, as well as the need for continuous monitoring and prompt patching of vulnerabilities to prevent such attacks in blockchain-based games and other applications. It also emphasizes the importance of following best practices for secure smart contract development to minimize the risk of vulnerabilities being exploited by malicious actors.
GameFi developers can generally follow the steps mentioned below to prevent vulnerabilities.
We have learned different ways attackers can compromise a GameFi project, such as through smart contracts, cross-chain bridging mechanisms, and third-party or centralized dependencies. Developers and investors are enjoined to make thorough security audits on the logic in these areas.
This can involve engaging third-party security experts like Halborn or utilizing automated security tools to identify potential vulnerabilities and weaknesses.
Developers should thoroughly validate and authenticate all incoming and outgoing cross-chain transactions to ensure they are authentic and flawless. Some ways to do this is to verify the source and destination addresses of the transactions, confirm that the outgoing transaction amount is the expected amount, and use signatures to prevent unauthorized transfers.
Security needs are always evolving as blockchain technology itself is evolving. As a result, developers and project owners need to stay updated with the newest security best practices to avoid being victims of attacks.
For example, Solidity functions can get deprecated, and if developers are not aware of the update, their code can be targeted for attacks. Developers should monitor security forums, follow reputable security sources, and keep an eye out for updates to technologies they have used in their development process.
Developers should implement strict access controls on their GameFi projects to avoid unauthorized access to user and contract accounts. They can do this by adopting RBACs, multisig wallets, or multi-factor authentications.
For more information on how you can keep your Web3 gaming project secure, get in touch with Halborn.