Halborn Logo

// Blog


Security Risks of NFT Games


Rob Behnke

June 19th, 2023

NFT games — which have grown increasingly popular since 2021 — combine the thrill of gaming with the innovative properties of blockchain technology. 

One key reason for this is that players can truly own their digital assets. They have the freedom to trade, sell, or transfer these assets as they wish. This sense of ownership adds an extra layer of value and collectability to rare in-game items, making them more appealing to players.

Another reason behind the success of NFT games is the monetization opportunities they provide. Players can generate income by trading, leasing, or selling their in-game assets. 

Lastly, NFTs enable interoperability, allowing players to use their in-game assets across multiple games and platforms. 

NFT Gaming Security Risks

In this article, we’ll explain some of the various security risks that players may encounter in NFT games. Later, we will also provide valuable tips on how to avoid these security risks and protect yourself while enjoying the world of NFT gaming.

NFT Scams and Fraud

One major area of concern in NFT games is the prevalence of scams and fraudulent activities. With the increasing popularity of these games, bad actors are devising new ways to deceive players and profit from their inexperience or lack of knowledge. 

Some of the most common scams and frauds include:

Phishing Attacks 

Cybercriminals often create fake websites, emails, or social media accounts that resemble legitimate NFT gaming platforms. The goal is to trick users into revealing their sensitive information, such as private keys, 2FA codes and passwords. It is very common for scammers to use various social engineering tactics to steal assets or funds.

The best way to avoid phishing attacks is to always make sure you are using the official game links and websites. Keep an eye on the URL endings (.com, .io, etc.). It's common for scammers to create similar domains with the same name but a different ending.

The same goes for emails. Check senders and do not click, under any circumstances, on strange or unconventional links.

It wasn't long ago that Ronin, Axie Infinity's side-chain, was targeted in the most expensive DeFi hack to-date. After using phishing attacks to gain access to various wallets of the Sky Mavis team (Axie Infinity Developer), the scammers managed to validate transactions that caused a loss of about $625 million to the Axie Infinity community at the time.

Community-Focused NFT Scams

Scammers may also exploit other security vulnerabilities to target NFT game players. 

These bad actors may launch attacks on vaults, Discord channels, or other platforms used by gamers and the NFT community. By identifying weak points in security measures or infiltrating in the community spaces, these malicious individuals can gain access to valuable digital assets, personal information, or financial accounts.

These scams are often combined with other tactics.  For example, if a scammer has gained permission to send messages in a specific Discord channel, for example, they may be able to implement other harmful strategies more easily.  The most common approach is for them to use permissions or even bots to send messages containing phishing links.

To protect yourself from this kind of flaw, always seek information through different official channels. If one of the channels has been compromised, the team usually alerts through one of the others. 

It's also worth remembering that there will rarely be surprise "Mints" or sudden discounts without any prior notice. These are some red flags that deserve your attention.

One of Animoca Brands' games, Phantom Galaxies, experienced one of these attacks targeting its community. Scammers managed to steal over $1 million from users via fake mints of in-game NFTs.

Counterfeit NFTs

Scammers can create fake NFTs that resemble popular or valuable in-game items, hoping to dupe unsuspecting players into buying them.  These counterfeit NFTs usually have no value and can result in significant financial losses for the victims.

When seeking to research the authenticity and provenance of an NFT, always:

  1. Consider the creator's reputation and consult with fellow collectors for additional insights.

  2. Check the volume of transactions and also the number of transactions of the NFT’s collection; they may also give you some clues. 

  3. Examine the smart contract and token ID closely. This ensures that they match the actual item being sold and helps you avoid falling victim to counterfeit NFT scams.

Most of the popular NFT games of the last few years have had people making fakes of them. Shortly before or after a certain NFT game's items come out, you can see "bait" collections with names and NFTs that look exactly like the original ones, tricking people who aren't paying attention.

Go on OpenSea or any NFT Marketplace and search for any well-known NFT collection like "The Sandbox” and you'll see many fake or copycat collections. One attack exploited an issue with Magic Eden to add and sell fake NFTs as part of real collections.

Fraudulent NFT Projects and Ponzi Schemes

Some bad actors may set up fraudulent projects or schemes related to NFT games, promising high returns or unique opportunities.  Those schemes often rely on attracting new investors to pay off earlier investors, eventually collapsing and leaving many participants with significant losses.

But there are plenty of other kinds of scams. Another infamous type of scam is called a "Rug Pull”. Rug pulls work like this: scammers create a project with a series of promises and sell NFTs in order to be able to fulfill them. Some have only a game trailer or something that gives the impression that the game is almost ready when it doesn't even exist yet. In this way, they collect money from the sale of NFTs and then fail to deliver what they promised using a variety of fanciful excuses. In the end, the project team steals the money invested in the project and runs.

Thoroughly research NFT and other crypto projects by consulting credible sources and reviews, which helps you make informed decisions about potential investments. Also, exercise caution with projects promising unrealistic returns, especially those focusing more on the financial returns than fun and good gameplay.

Criminal schemes often use famous people as spokespersons to gain credibility more quickly. These people are paid to promote something that they often don't know (or pretend not to know) is a scam.

Many influencers and groups have been harmed by promoting projects that later proved to be scams. Earlier this year, Logan Paul was accused of participating in a Rug Pull involving an NFT game called CryptoZoo.

Technical vulnerabilities

Smart contracts in NFT games can sometimes have weak spots. These can give bad actors the perfect chance to take advantage through exploits. Most of the time, exploits aim to drain funds from the crypto wallets that signed a specific transaction or contract on the Blockchain.

More experienced developers in the market are less likely to make mistakes in their smart contracts, but even the best can fall short on security sometimes. It's important to review if a Web3 gaming project has a security audit from a reputable security company - like Halborn -  and the measures they have taken (eg. fixing the most relevant findings). 

Furthermore, to protect yourself from potential vulnerabilities in smart contracts, always check the applications connected to your wallet and delete the ones you're not using immediately. This alone can protect you from many attacks!

The crypto-gaming platform Vulcan Forged experienced a significant security breach in 2021. During this attack, the hacker gained access to the system's private keys, which allowed them to compromise 96 wallets. This malicious incident resulted in a devastating loss, accounting for more than 23% of the circulating supply of the game token.

In 2022, The Sandbox made a public announcement regarding the migration of their LAND smart contracts, citing the discovery of a vulnerability. The team at The Sandbox acknowledged that this vulnerability had the potential to cause significant losses for their users. 

Fortunately, they were able to swiftly propose a solution to address the issue. Nonetheless, the undisclosed details of the vulnerability are indeed alarming, as it had the potential for attackers to exploit and potentially destroy a considerable amount of land within The Sandbox.

Privacy threats

In places where being anonymous is important, like gaming and crypto, threats to privacy can be really harmful. Lots of scammers threaten to reveal personal info that they found out in various ways. They try to blackmail developers and players to get them to pay up.

Avoid sharing personal information about yourself, where you live, or your family members with people you don't know.  Malicious groups may think of ways to use this information to cause harm or even impersonate you to hurt others using your identity.

The NFT gaming space has many well-intentioned people, but it's important to remember that not everyone is a friend. As mentioned before in this article, scammers impersonated other Sky Mavis employees, tricking several of those responsible for authorizing transactions on Ronin, Axie Infinity's Side Chain.

Avoid Legal and Regulatory Issues Surrounding NFTs

Don’t forget to consider that the legal and regulatory landscape surrounding NFTs and blockchain gaming is still evolving.  We won’t deep dive into that in this article, but we recommend you verify the laws, standards, and regulations that your country may have regarding NFT and blockchain-based games.

In some countries, NFT game assets can be taxed or have certain rules for their use. For example, in Brazil, NFTs must be declared for Income Tax and are subject to taxation. The legislation divided crypto assets into three types: cryptocurrencies, utility tokens, and asset-referenced tokens. In the United States, NFTs have been classified as securities, and their trade is subject to a series of restrictions. And in China, crypto assets have been banned in their entirety.

Final Thoughts

It’s increasingly important for NGT game players and investors to stay vigilant and informed about the various security risks that come with this exciting new market. By understanding the potential threats and taking appropriate precautions, you can protect your valuable digital assets and personal information from cybercriminals and scammers.

The role of community and industry collaboration cannot be overstated in improving security within the NFT gaming space. By sharing experiences, best practices, and knowledge about emerging threats, we can build a stronger, more resilient ecosystem for everyone involved.

If you're looking to learn more about protecting yourself from security risks in the world of NFT gaming or need help securing your digital assets, don't hesitate to contact us! Our team of Web3 gaming security experts is here to help you navigate this exciting and rapidly evolving landscape with confidence. Get in touch today to learn more about how to protect your NFT gaming platform.