What Are the Common Security Issues in GameFi?

This article is a community submission. The author is Zhangchi Qin, a smart contract auditor at holistic blockchain security company Salus Security. 
Views in this article are of the contributor / author and do not necessarily reflect those of Binance Academy.
TLDR:
GameFi projects face various security challenges that can be classified as on-chain and off-chain issues. 
On-chain security challenges mainly involve the management of ERC-20 tokens and NFTs, the safety of cross-chain bridges, and decentralized autonomous organization (DAO) governance. 
Off-chain challenges, on the other hand, are typically related to web interfaces and servers. 
GameFi projects should prioritize security measures, such as rigorous audits, vulnerability scanning, and penetration testing, as well as implement best operational practices and business controls.
Introduction GameFi combines blockchain technology with gaming to create decentralized platforms featuring in-game assets and digital currencies. It typically features a play-to-earn (P2E) model that allows players to earn crypto rewards. GameFi also gives gamers true ownership and complete control over their in-game assets.
While GameFi is gaining popularity, it’s facing continuous and significant threats from hacks throughout its life cycle. Some projects may value speed over quality and therefore, lack robust security precautions, putting both the community and creators at risk of significant losses.
Why Is GameFi Security Important? GameFi experienced considerable growth in 2021 with its P2E model offering players novel in-game financial opportunities. In 2022, move-to-earn projects further highlighted GameFi’s growth potential. GameFi was crypto’s top sector in 2022, accounting for approximately 9.5% of the industry’s total funding and year-on-year growth of over 118%.
GameFi is different from traditional gaming because more is at stake for users and any hack could mean significant losses for them. In extreme scenarios, security breaches could end a project. 
For example, attackers exploited a backdoor in a Remote Procedure Call (RPC) node to obtain a signature on the GameFi project Axie Infinity in 2022, allowing attackers to carry out unauthorized withdrawals totalling nearly $600 million in ETH. Any vulnerabilities in GameFi projects could result in massive losses for both investors and players, underscoring the critical importance of GameFi security.
On-chain Security Challenges ERC-20 token vulnerabilities ERC-20 tokens are frequently used in GameFi projects as a virtual currency for in-game purchases, reward mechanisms for players, and a means of exchange. 
Improper minting and management of ERC-20 tokens can introduce security risks. One common vulnerability, called reentrancy, may arise during the minting process. Attacks can exploit the logic loophole in a contract to repeatedly execute a specific function, resulting in the infinite minting of tokens.
As universal in-game currencies, ERC-20 tokens’ stability and quantity determines a game’s playability and sustainability. Hence, projects should ensure the logic of codes and strictly control the total supply of ERC-20 tokens. 
P2E GameFi project DeFi Kingdoms was attacked by malicious ERC-20 minting in 2022. Some players leveraged the logic vulnerability to mint the game’s locked native tokens, causing the token price to plummet afterwards.
NFT vulnerabilities NFTs are primarily used as in-game virtual assets in GameFi projects, including equipment, props, and souvenirs. They offer players clear ownership and can maintain stable value via inflation control and scarcity. However, improper use of NFTs can introduce security vulnerabilities.
The value of NFTs is reflected in the rarity of equipment or props, with players typically seeking the rarest NFTs. During the NFT minting process, block-related information like timestamps may be used as a weak random source for generating NFTs with different levels of rarity.A miner can manipulate the block timestamp to some extent in order to maliciously mint rarer NFTs. 
Even a reliable source of randomness, such as Chainlink VRF (Verifiable Random Function), does not remove all risks. Malicious users can revoke operations while minting unwanted NFT token IDs and repeat the process until a rare NFT is minted.
When players trade and transfer NFTs, potential smart contract vulnerabilities may occur. For example, the function safeTransferFrom() is used to transfer ERC-721 NFTs. When the receiver is a contract address, the function onERC721Received() will be triggered for a callback. Then there is the potential risk of the reentrancy attacks, whereby attackers can dictate the logic within the function on ERC721Received(). 
This risk also exists among ERC-1155 NFTs, whereby the function safeTransferFrom() triggers the function onERC1155Received() and allows attackers to carry out a reentrancy attack.
Bridge vulnerabilities Cross-chain bridges are used in GameFi to allow users to exchange in-game assets across different networks. They are also critical for enhancing GameFi’s experiences and liquidity.
One major risk of cross-chain bridges in GameFi comes from inconsistencies among in-game assets. The contracts on both sides of the bridge should guarantee that the same amount of assets will be accepted and burned. However, due to loopholes in the contracts for verifying and accounting, attackers can compromise them to create a large number of assets out of thin air.
DAO governance vulnerabilities Many GameFi projects are governed by DAOs, which may introduce the risk of centralization if the majority of governance tokens are owned by a few large actors. Smart contracts that define DAO governance rules open up another venue for potential compromises, as attackers can find ways to access the DAO treasury.
Off-chain Security Challenges Most GameFi projects still depend on off-chain centralized servers for back-end operations, web interfaces, or mobile apps. These servers house critical information, including game data and owner accounts, and they are vulnerable to malicious attacks like penetration and Trojan horse malware. 
When it comes to NFTs, metadata contains important descriptive information and is stored off-chain as JSON files. However, many GameFi projects store their NFT metadata on their own centralized servers instead of using decentralized infrastructure like IPFS. This increases the likelihood of metadata tampering by related parties or attackers, which could infringe on players’ rights.
In the context of cross-chain bridges, attackers may obtain validators’ signatures or private keys through penetration or phishing attacks. They can compromise the infrastructure and execute an exploit to control in-game assets.
During data transmission, attackers may hijack and inject the network packet with malicious code. By modifying the data package, attackers may implement false top-ups and use the unit purchase amount to get more game items. 
Front-end interfaces give attackers another avenue to maliciously infiltrate the system. If an information leak occurs on the leaderboard of one game, attackers can send the leaked address-related information to the server to obtain corresponding sensitive information.
Ways To Improve SecurityTo safeguard GameFi projects, it’s crucial to exercise caution at every stage. Ensuring flawless smart contract codes is the foundation of a successful GameFi project — this involves writing high-quality code, conducting regular audits, and using formal smart contract verification. 
Maintaining the security of servers and other infrastructure components is also critical; penetration testing should be conducted to detect possible vulnerabilities. With DApp- and blockchain-based systems, penetration testing brings with it Web3 features. As such, specific precautions are necessary for digital wallets and decentralized protocols.
GameFi projects should also adhere to other best practices, including a secure runtime process and complete emergency response. The former involves monitoring triggered security events, hardening environment security, and releasing bug bounty programs.
At the same time, projects must develop a complete emergency response process that includes aspects such as stop-loss disposal, attack tracking, and issue analysis.
Closing ThoughtsGameFi’s security vulnerabilities go beyond those mentioned in this article and many incidents have shown that projects have ignored or downplayed security risks. GameFi is a significant part of the future of gaming. As such, projects should always pay attention to security issues and put their communities’ interests first.
Further ReadingWhat Is GameFi and How Does It Work?
What Are NFT Games and How Do They Work?
What Is a Smart Contract Security Audit?

Disclaimer and Risk Warning: This content is presented to you on an “as is'' basis for general information and educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal, or other professional advice, nor is it intended to recommend the purchase of any specific product or service. You should seek your own advice from appropriate professional advisors. Where the article is contributed by a third-party contributor, please note that those views expressed belong to the third-party contributor and do not necessarily reflect those of Binance Academy. Please read our full disclaimer here for further details. Digital asset prices can be volatile. The value of your investment may go down or up, and you may not get back the amount invested. You are solely responsible for your investment decisions, and Binance Academy is not liable for any losses you may incur. This material should not be construed as financial, legal, or other professional advice. For more information, see our Terms of Use and Risk Warning.