This article is a community contribution. The author is Zhangchi Qin, a smart contract auditor at Salus Security, a holistic blockchain security company.
The views expressed in this article are those of the contributor/author and do not necessarily reflect the views of Binance Academy.
Summary:
The security challenges faced by the GameFi project can be roughly classified into on-chain and off-chain issues.
On-chain security challenges mainly involve the management of ERC-20 tokens and NFTs, the security of cross-chain bridges, and the governance of decentralized autonomous organizations (DAOs).
Off-chain challenges are usually related to network interfaces and servers.
GameFi projects should give priority to security protection measures, such as strict auditing , vulnerability scanning and penetration testing, and implementing best operational practices and business controls.
GameFi will be Blockchain technology is combined with games to create a decentralized platform featuring in-game assets and digital currencies. It typically adopts a play-to-earn (P2E) model, allowing players to earn cryptocurrency rewards. GameFi also gives gamers true ownership and complete control over in-game assets.
Despite GameFi’s growing popularity, it will face continued and serious threats from hackers throughout its lifecycle. Some projects may value speed (over quality) and therefore lack robust security precautions, which often puts both the community and creators at risk of significant losses.
GameFi has experienced considerable growth in 2021, and its P2E model provides players with new in-game revenue opportunities. In 2022, move-to-earn will further highlight GameFi’s growth potential. GameFi is the leading cryptocurrency industry in 2022, accounting for approximately 9.5% of the industry's total funds, with a year-on-year growth of more than 118%.
GameFi is different from traditional games because users face greater risks, and any hacker attack may cause significant losses. In extreme cases, a security breach can lead to the termination of a project.
For example, in 2022, attackers used a backdoor in the remote procedure call (RPC) node to obtain the signature of the GameFi project Axie Infinity , allowing unauthorized withdrawals to be made, stealing a total of nearly $600 million in ETH. Any loopholes in the GameFi project may cause huge losses to investors and players, which highlights the critical importance of GameFi security.
In the GameFi project, ERC-20 tokens are often used as virtual currencies for in-game purchases, player reward mechanisms, and means of exchange.
Improper minting and management of ERC-20 tokens may pose security risks. A common vulnerability called "reentrancy" can occur during the casting process. An attacker can exploit logical vulnerabilities in the contract to repeatedly perform specific functions, thereby minting tokens indefinitely.
As a universal in-game currency, the stability and quantity of ERC-20 tokens determine the playability and usability of the game. Persistent. Therefore, projects should ensure code logic and strictly control the total supply of ERC-20 tokens.
The P2E GameFi project DeFi Kingdoms was attacked by malicious ERC-20 minting in 2022. Some players took advantage of a logic flaw to mint the game's locked native token, causing the token price to subsequently plummet.
NFT is mainly used as in-game virtual assets in GameFi projects, including equipment, props and souvenirs. They provide players with clear ownership and can maintain stable value by controlling inflation and scarcity. However, improper use of NFTs can introduce security vulnerabilities.
The rarity of equipment or props will be reflected in the value of the NFT, and players will usually look for the rarest NFT. During the NFT minting process, block-related information such as timestamps may be used as a weak source of randomness to generate NFTs of different rarity levels. Miners can manipulate block timestamps to some extent to maliciously mint rarer NFTs.
Even reliable sources of randomness, such as Chainlink VRFs (Verifiable Random Functions), cannot eliminate all risks. A malicious user could undo the action when an unwanted NFT token ID is minted, and keep repeating the process until a rare NFT is minted.
Potential smart contract vulnerabilities may arise when players trade and transfer NFTs. For example, the function safeTransfrom() is used to transfer ERC-721 NFT. When the recipient is the contract address, the function onerc721Reaceived () will be triggered for callback. There is also the potential risk of reentrancy attacks, where an attacker could determine the logic in the function on erc721Reaceived().
ERC-1155 NFT also has this risk, that is, the function safeTransform () triggers the function onerc1155Received () and allows the attacker to re- into attack.
GameFi Cross-chain bridges will be used to allow users to exchange in-game assets across different networks. They are also crucial to enhancing GameFi’s experience and liquidity.
One of the main risks of cross-chain bridges in GameFi comes from inconsistencies between in-game assets. The contracts on both sides of the cross-chain bridge should ensure that the number of assets accepted and destroyed is the same. However, due to vulnerabilities in the verification and checkout of the contract, attackers can invade the contract and create large amounts of assets out of thin air.
Many GameFi projects are managed by DAOs, which may pose a centralization risk if most governance tokens are owned by a few large players. Smart contracts that define the DAO’s governance rules open up another opening for potential risks, as attackers can find ways to access the DAO library.
The backend of most GameFi projects Operation and maintenance, network interfaces or mobile applications still rely on off-chain centralized servers. These servers store critical information, including game data and owner accounts, and are vulnerable to malicious attacks such as penetration and Trojan malware.
NFT’s metadata contains important descriptive information and is stored off-chain as a JSON file. However, many GameFi projects store their NFT metadata on their own centralized servers rather than using decentralized infrastructure such as IPFS. This increases the possibility of metadata tampering by interested parties or attackers, potentially violating player rights.
In the case of using a cross-chain bridge, an attacker can obtain the validator's signature or private key through penetration or phishing attacks . They can compromise infrastructure and exploit vulnerabilities to take control of in-game assets.
During data transmission, an attacker may hijack network packets and inject malicious code. By modifying the data package, the attacker can achieve false recharge and tamper with the unit purchase amount to obtain more game props.
The front-end interface also provides another way for attackers to maliciously penetrate the system. If information is leaked in the rankings of a certain game, the attacker can send the leaked address-related information to the server to obtain the corresponding sensitive information.
To protect the GameFi project, you must Proceed with caution at every stage. Ensuring flawless smart contract code is fundamental to the success of the GameFi project - this involves writing high-quality code, conducting regular audits, and using formal smart contract verification.
Maintaining the security of servers and other infrastructure components is also critical; penetration testing should be performed to detect possible vulnerabilities in a timely manner. Web3 capabilities can be leveraged when conducting penetration testing using DApps and blockchain-based systems. Therefore, specific precautions must be taken with digital wallets and decentralized protocols.
GameFi projects should also follow other best practices, including secure runtime processes and complete emergency response. The former involves monitoring triggered security events, hardening the security of the environment, and launching bug bounty programs.
At the same time, the project must develop a complete emergency response process, including stop loss handling, attack tracking, and problem analysis.
GameFi's security vulnerabilities are not limited to the vulnerabilities mentioned in this article. Many incidents show that many projects ignore or downplay security risks. GameFi is an important part of the future gaming industry. Therefore, projects should always focus on safety issues and put the interests of the community first.
The concept of GameFi and its working principle
Introduction to the concept of NFT games and their operating principles
What is smart contract security audit?
Disclaimer and Risk Warning:The content of this article is provided "as is" for general information and educational purposes only and does not constitute any representation or warranty. This article should not be construed as financial, legal, or other professional advice, and is not a recommendation that you purchase any specific product or service. If you need investment advice, please seek professional advice. If the article is provided by a third-party contributor, please note: the opinions are those of the third-party contributor and do not necessarily reflect the views of Binance Academy. For more information, pleaseclick hereto read our full Disclaimer. Digital asset prices may fluctuate. The value of your investment may fall as well as rise and you may not get back the principal invested. You are solely responsible for your own investment decisions and Binance is not responsible for any losses you may suffer. Nothing contained herein constitutes financial, legal or other professional advice. For additional information, please see ourTerms of UseandRisk Warning.