What are the common security issues in GameFi?

Security challenges faced by GameFi projects can generally be categorized into on-chain and off-chain issues.

On-chain security challenges mainly involve the management of ERC-20 tokens and NFTs, the security of cross-chain bridges, and the governance of decentralized autonomous organizations (DAO).

Off-chain challenges are usually related to network interfaces and servers.

GameFi projects should prioritize security measures such as rigorous audits, vulnerability scanning, and penetration testing, and implement best operational practices and business controls.

Introduction

GameFi combines blockchain technology with gaming to create decentralized platforms characterized by in-game assets and digital currencies. It often adopts the play-to-earn (P2E) model, allowing players to earn cryptocurrency rewards. GameFi also grants players true ownership and full control over in-game assets.

Although GameFi is becoming increasingly popular, it faces ongoing and serious threats from hackers throughout its lifecycle. Some projects may prioritize speed over quality, lacking robust security measures, which can lead to significant losses for the community and creators.

Why is GameFi security important?

GameFi experienced substantial growth in 2021, with its P2E model providing new in-game income opportunities for players. In 2022, move-to-earn (move-to-earn) further highlighted the growth potential of GameFi. GameFi was a leading industry in cryptocurrency in 2022, accounting for about 9.5% of total industry funding, with a year-over-year increase of over 118%.

Unlike traditional gaming, GameFi presents greater risks to users, as any hacking attack could result in significant losses. In extreme cases, security vulnerabilities could lead to project termination.

For example, in 2022, attackers exploited backdoors in remote procedure call (RPC) nodes to obtain signatures for the GameFi project Axie Infinity, enabling unauthorized withdrawals and stealing nearly $600 million worth of ETH. Any vulnerability in a GameFi project can cause huge losses to investors and players, underscoring the critical importance of security in GameFi.

On-chain security challenges ERC-20 token vulnerabilities

In GameFi projects, ERC-20 tokens are often used as in-game currency, reward mechanisms, and exchange mediums.

Poorly managed minting and management of ERC-20 tokens can pose security risks. A common vulnerability during minting is known as “reentrancy.” Attackers can exploit logical flaws in contracts to repeatedly execute certain functions, resulting in unlimited token minting.

As a universal in-game currency, the stability and total supply of ERC-20 tokens determine the game’s playability and sustainability. Therefore, projects should ensure logical correctness in their code and strictly control the total supply of ERC-20 tokens.

DeFi Kingdoms, a P2E GameFi project, was attacked in 2022 by malicious ERC-20 minting. Some players exploited logical loopholes to mint the project’s native tokens, causing the token price to plummet afterward.

NFT vulnerabilities

NFTs are mainly used as in-game virtual assets in GameFi projects, including equipment, items, and souvenirs. They provide players with clear ownership and can help maintain stable value through controlling inflation and scarcity. However, improper use of NFTs can introduce security vulnerabilities.

The rarity of equipment or items is reflected in the NFT’s value, and players often seek the rarest NFTs. During NFT minting, blockchain-related information such as timestamps may be used as weak sources of randomness to generate different rarity levels. Miners can manipulate block timestamps to maliciously mint rarer NFTs.

Even reliable sources of randomness, such as Chainlink VRF (Verifiable Random Function), cannot eliminate all risks. Malicious users can revoke operations when minting unwanted NFT token IDs and repeat the process until a rare NFT is minted.

Potential smart contract vulnerabilities may occur when players trade and transfer NFTs. For example, the function safeTransform () is used to transfer ERC-721 NFTs. When the recipient is a contract address, the function onerc721Reaceived () is triggered for callback. There is also a risk of reentrancy attacks, where attackers can manipulate logic within onerc721Reaceived ().

Similarly, in ERC-1155 NFTs, the function safeTransform () triggers onerc1155Received (), allowing attackers to perform reentrancy attacks.

Cross-chain bridge vulnerabilities

GameFi uses cross-chain bridges to enable users to exchange in-game assets across different networks. They are also crucial for enhancing user experience and liquidity.

A major risk in cross-chain bridges within GameFi arises from inconsistencies between assets on different chains. The contracts on both sides of the bridge should ensure that the amount of assets accepted and destroyed matches. However, vulnerabilities in validation and accounting can allow attackers to compromise the contract and create large amounts of assets out of thin air.

DAO governance vulnerabilities

Many GameFi projects are managed by DAOs. If the majority of governance tokens are held by a few large participants, this can pose centralization risks. Smart contracts defining DAO governance rules open another potential vulnerability, as attackers may find ways to access the DAO treasury.

Off-chain security challenges

Most GameFi projects still rely on centralized servers for backend operations, network interfaces, or mobile applications. These servers store critical information, including game data and owner accounts, and are vulnerable to infiltration and malware attacks.

NFT metadata contains important descriptive information and is stored off-chain as JSON files. However, many GameFi projects store their NFT metadata on centralized servers rather than decentralized infrastructure like IPFS. This increases the risk of tampering by relevant parties or attackers, potentially infringing on players’ rights.

In cross-chain bridge scenarios, attackers can infiltrate or conduct phishing attacks to obtain validators’ signatures or private keys. They can compromise infrastructure and exploit vulnerabilities to control in-game assets.

During data transmission, attackers may hijack network packets and inject malicious code. By modifying data packets, they can perform fake recharges and alter purchase amounts to obtain more game items.

Frontend interfaces also provide another avenue for malicious infiltration. If a game’s leaderboard leaks information, attackers can send the leaked address data to the server to obtain sensitive information.

How to improve security

To protect GameFi projects, caution must be exercised at every stage. Ensuring flawless smart contract code is fundamental to success—this involves writing high-quality code, conducting regular audits, and using formal verification of smart contracts.

Maintaining the security of servers and other infrastructure components is also critical; penetration testing should be performed to detect potential vulnerabilities promptly. When conducting penetration tests on DApps and blockchain-based systems, Web3 functionalities can be utilized. Therefore, specific precautions should be taken for digital wallets and decentralized protocols.

GameFi projects should also follow other best practices, including secure runtime processes and comprehensive incident response plans. The former involves monitoring triggered security events, strengthening environment security, and launching bug bounty programs.

Additionally, projects must develop comprehensive incident response procedures, including stop-loss measures, attack tracking, and problem analysis.

Conclusion

Security vulnerabilities in GameFi are not limited to those mentioned in this article. Many incidents show that many projects overlook or downplay security risks. GameFi is an important part of the future gaming industry. Therefore, all projects should always focus on security issues and prioritize the interests of the community. **$GAS **$GAME2