This article is a community contribution. The author is Zhangchi Qin, a smart contract auditor at Salus Security, a holistic blockchain security company.
The opinions expressed in this article are those of the contributors/authors and do not necessarily reflect the views of Binance Academy.
Summary:
The security challenges faced by the GameFi project can be roughly categorized as on-chain and off-chain issues.
On-chain security challenges mainly involve the management of ERC-20 tokens and NFTs, the security of cross-chain bridges, and the governance of decentralized autonomous organizations (DAOs).
Off-chain challenges are usually related to network interfaces and servers.
GameFi projects should prioritize security safeguards, such as rigorous audits, vulnerability scanning, and penetration testing, and implement best operational practices and business controls.
Introduction
GameFi combines blockchain technology with games to create a decentralized platform featuring in-game assets and digital currencies. It usually adopts a play-to-earn (P2E) model, allowing players to earn cryptocurrency rewards. GameFi also gives gamers true ownership and full control over in-game assets.
Despite its growing popularity, GameFi faces a constant and serious threat from hackers throughout its lifecycle. Some projects may value speed over quality and therefore lack robust security precautions, which often puts both the community and creators at risk of significant losses.
Why is GameFi security important?
GameFi experienced significant growth in 2021, with its P2E model providing players with new in-game revenue opportunities. In 2022, move-to-earn further highlighted GameFi's growth potential. GameFi was the top industry in cryptocurrency in 2022, accounting for approximately 9.5% of the total industry funding, an increase of more than 118% year-on-year.
GameFi is different from traditional games because the risk to users is greater and any hacker attack could result in significant losses. In extreme cases, security breaches could lead to the termination of the project.
For example, in 2022, attackers exploited a backdoor in the remote procedure call (RPC) node to obtain the signature of the GameFi project Axie Infinity, allowing unauthorized withdrawals and stealing a total of nearly $600 million in ETH. Any vulnerability in the GameFi project could cause huge losses to investors and players, which further highlights the importance of GameFi security.
On-chain security challenges
ERC-20 Token Vulnerabilities
In the GameFi project, ERC-20 tokens are often used as virtual currency for in-game purchases, player reward mechanisms, and means of exchange.
Improper minting and management of ERC-20 tokens can pose security risks. A common vulnerability called "reentrancy" can occur during the minting process. An attacker can exploit a logical vulnerability in the contract to repeatedly execute a specific function, thereby minting tokens infinitely.
As a universal in-game currency, the stability and quantity of ERC-20 tokens determine the playability and sustainability of the game. Therefore, the project should ensure the code logic and strictly control the total supply of ERC-20 tokens.
The P2E GameFi project DeFi Kingdoms was attacked by malicious ERC-20 minting in 2022. Some players exploited logic vulnerabilities to mint the game's locked native tokens, causing the token price to plummet subsequently.
NFT Vulnerabilities
NFTs are mainly used as in-game virtual assets in GameFi projects, including equipment, props, and souvenirs. They provide players with clear ownership and can maintain stable value by controlling inflation and scarcity. However, improper use of NFTs may introduce security vulnerabilities.
The rarity of equipment or items is reflected in the value of NFTs, and players usually look for the rarest NFTs. During the NFT minting process, block-related information such as timestamps may be used as a weak random source to generate NFTs of different rarity levels. Miners can manipulate block timestamps to some extent to maliciously mint rarer NFTs.
Even a reliable source of randomness, such as Chainlink VRF (Verifiable Random Function), does not eliminate all risk. A malicious user could reverse the operation when an unwanted NFT token ID is minted, and then repeat the process until a rare NFT is minted.
Potential smart contract vulnerabilities may arise when players trade and transfer NFTs. For example, the function safeTransfrom() is used to transfer ERC-721 NFTs. When the recipient is a contract address, the function onerc721Reaceived() will be triggered for a callback. There is also a potential risk of reentrancy attacks, where an attacker can determine the logic in the function on erc721Reaceived().
This risk also exists in ERC-1155 NFTs, where the function safeTransform() triggers the function onerc1155Received() and allows an attacker to perform a reentrancy attack.
Cross-chain bridge vulnerability
Cross-chain bridges are used in GameFi to allow users to exchange in-game assets across different networks. They are also critical to enhancing the experience and liquidity of GameFi.
A major risk of the cross-chain bridge in GameFi comes from inconsistencies between in-game assets. The contracts on both sides of the cross-chain bridge should ensure that the same amount of assets are accepted and destroyed. However, due to vulnerabilities in the verification and settlement of the contract, attackers can hack into the contract and create a large amount of assets out of thin air.
DAO Governance Vulnerability
Many GameFi projects are governed by DAOs, which can pose centralization risks if the majority of governance tokens are owned by a few large players. Smart contracts that define DAO governance rules open up another loophole for potential risks, as attackers can find ways to access the DAO library.
Off-chain security challenges
Most GameFi projects still rely on off-chain centralized servers for backend operations, web interfaces, or mobile applications. These servers store critical information, including game data and owner accounts, and are vulnerable to malicious attacks such as penetration and Trojan malware.
The metadata of NFT contains important descriptive information and is stored off-chain as a JSON file. However, many GameFi projects store their NFT metadata on their own centralized servers instead of using decentralized infrastructure such as IPFS. This increases the possibility that related parties or attackers can tamper with the metadata, which may infringe on players' rights.
In the case of cross-chain bridges, attackers can obtain the signature or private key of the validator through penetration or phishing attacks. They can compromise the infrastructure and exploit vulnerabilities to control in-game assets.
During data transmission, attackers may hijack network data packets and inject malicious code. By modifying data packets, attackers can achieve false recharges and tamper with unit purchase amounts to obtain more game props.
The front-end interface also provides another way for attackers to maliciously penetrate the system. If a game leaderboard is leaked, the attacker can send the leaked address information to the server to obtain the corresponding sensitive information.
How to improve security
To protect the GameFi project, it is important to exercise caution at every stage. Ensuring flawless smart contract code is fundamental to the success of the GameFi project - this involves writing high-quality code, conducting regular audits, and using formal smart contract verification.
It is also crucial to maintain the security of servers and other infrastructure components; penetration testing should be performed to detect possible vulnerabilities in a timely manner. When conducting penetration testing with DApps and blockchain-based systems, Web3 capabilities can be exploited. Therefore, specific precautions must be taken with digital wallets and decentralized protocols.
GameFi projects should also follow other best practices, including secure runtime processes and complete emergency response, which involves monitoring triggered security events, hardening the environment, and launching a bug bounty program.
At the same time, the project must develop a complete emergency response process, including loss prevention, attack tracking, and problem analysis.
Conclusion
GameFi's security vulnerabilities are not limited to the vulnerabilities mentioned in this article. Many incidents have shown that many projects have ignored or downplayed security risks. GameFi is an important part of the future gaming industry. Therefore, each project should always pay attention to security issues and put the interests of the community first.
Further reading
What is GameFi and how it works
Introduction to the concept of NFT games and their operating principles
What is a smart contract security audit?
Disclaimer and Risk Warning: The content in this article is provided "as is" for general information and educational purposes only and does not constitute any representation or warranty. This article should not be construed as financial, legal, or other professional advice, and does not constitute a recommendation that you purchase any specific product or service. For investment advice, please seek professional advice. If the article is provided by a third-party contributor, please note that these opinions belong to the third-party contributor and do not necessarily reflect the opinions of Binance Academy. For more information, please see our full Disclaimer here. Cryptocurrency prices may fluctuate. The value of your investment may go down or up, and you may not get back the money you invest. You are solely responsible for your investment decisions, and Binance is not responsible for any losses you may incur. Nothing in this article constitutes financial, legal, or other professional advice. For additional information, please see our Terms of Use and Risk Warning.