DeFi games are games where virtual items such as armor, animals or natural resources can be purchased or acquired for fun, progress and profit in the form of cryptocurrencies or tokens. These virtual objects may be represented by Non-Fungible Tokens (NFT), which add the ownership or authenticity of these assets to the wallet of the user, who has the freedom to use or sell them directly without the need go through an intermediary. This is the dynamic of DeFi video games, Decentralized Finance, which use blockchain technology to manage the game economy and give users control of their assets and provide the opportunity to make a profit.
What concepts do you need to know to understand how DeFi games work?
- Web3. Evolution of the web based on decentralized technology that allows users to have greater control over their data. Through the blockchain, for example, they can have digital properties such as tokens, images, music or any type of file and can sell or exchange them without having to go through a third party.
- Smart contract. The computer programs that contain the code with all the rules and programmed logic required to operate the decentralized applications. They are automatically executed on the blockchain as soon as specific conditions and clauses are met.
- DeFi. Decentralized finance applications in which all the rules and conditions are defined in so-called smart contracts and, therefore, without the need to have to place trust in an entity. DeFi applications include video games as a category
- P2E. The play-to-earn model is linked to this type of games, since it gives players the opportunity to earn tokens with a real market value, by achieving level within the video game. Players can buy and sell items, which are the assets used to advance in the game, such as swords or armor. This is how players may generate earnings.
These types of apps combine the fun and interaction typical of video games with the features and advantages of blockchain technology and decentralized finance. They became popular in 2021 and, although they experienced a slowdown in 2022, they have become an attractive option for many gamers and blockchain enthusiasts. However, the use of these apps is risky and may incur heavy losses, as a breach can give attackers access to funds which they can use to manipulate the gaming market. That is why security should be a major concern in this field, especially in terms of protecting user assets.
Impact of DeFi games
DeFi protocols form an increasing target for cybercriminals. In 2021 alone, more than $10 billion was lost to cyberattacks and scams, according to data from blockchain analytics company Elliptic. And the fact is that these platforms move large amounts of money. One of the most popular DeFi games, ‘Axie Infinity’, with over 100,000 daily users, can move more than $65 million in 24 hours, according to data compiled by CoinMarketCap. That is why security is one of the biggest challenges that the emerging blockchain environment must address.
Audit of 27 DeFi games for safety and transparency
In this context and within the framework of the ethical hacking practices to identify and expose possible security breaches, the team of Sofistic, Cuatroochenta's cybersecurity unit, has carried out research to audit and analyze the security measures of 27 different DeFi games. 70% of these games had already been launched in the market and the others were in beta or development version.
The audit, which was held in collaboration with Bit2Me, a company specialized in cryptocurrencies, was based on the information that appeared both on the websites of the games and in the Github repositories as well as in all the blockchain data. The investigation focused on three key security components for this type of game: smart contracts, clients such as apps or websites, and servers.
Main research findings
|Ranking||Number of failures|
1 · Weak authentication and validation measure
Authentication, access control and the management of sensitive information are crucial elements to ensure the privacy and security of data and resources and to mitigate possible threats. In this respect, one of the most critical flaws allowed access to several user accounts, bypassing the login. This breach was detected in 3 of the 27 games investigated
Regarding privacy, the research also found that 38% of the projects presented access control failure to some degree, making sensitive information visible to other users. For example, in a ranking of winners, the user's email and wallet appeared with personal information, when all that should have been displayed are the user's email and ranking.
Another of the failures detected in authentication and access control is that 65% of the games incorrectly or insufficiently verified the data entered by users in the application for processing and storage in the database. Although all systems excelled at encoding the output data, some allowed erroneous or potentially harmful data to be entered into registry fields, the user’s name or email address for example. This could alter the internal workings of the platform or execute threats. Lack of control over access to administrative functions of the contracts was also detected. In one case for example, anyone could access the function that allows changing the contract that was in charge of calculating the purchase or bid price of an NFT, being able to inveigle a malicious contract that would allow them to make purchases at zero price or steal all the tokens of a user.
2 · Lack of transparency in the contracts that manage the gaming economy
Smart contracts are the instrument that provides maximum guarantee and trust to any decentralized project. In the same way as a legal contract, users can know and verify the terms and conditions of the game and have the guarantee and confidence that they will be fulfilled. That is why transparency must be an intrinsically linked attribute. Some projects claim to operate on the blockchain, but do not really take advantage of its benefits and leave parts outside the blockchain, opening the door to possible abuses, manipulations or misappropriations.
What are the minimum requirements?
Collect in the documentation the cases of usage covered by the blockchain logic and those that are left out.
Document the operation or flow of the economic part of the project in the contract and tokenomics.
Publish the email addresses of all contracts, as well as their code and audit reports.
Document the functionality of each contract.
What is the purpose?
Review and verify that the documentation explains all the application logic, both centralized and decentralized.
Check that the email addresses of the smart contracts are included in the documentation and that their code is public.
Corroborate if there are vulnerabilities or abusive functions through the audit report and the code of the contracts.
Check that what is implemented in the code of the contracts complies with what is said in the documentation and, therefore, will be respected.
«All projects should publish the code of their contracts so it is accessible and reviewable to be able to verify that what is executed on the blockchain matches the documentation and that it does not contain vulnerabilities»
Tokenomics, defined as the way in which tokens are distributed and managed in the game, should be included in the technical information of the projects and the contracts should reflect how they are implemented. The reality, as far as we have been able to ascertain, is different. Although a large majority, 8 out of 10, had a section dedicated to the rules in their technical documentation, only 10% implemented them through contracts.
The audit also found that only 1 out of the 27 games audited provided information on the part that was implemented outside the blockchain. Each platform should clearly indicate which parts of the game are implemented on the blockchain and which parts are not, so as not to confuse the user, as there may be systems where the only items operating on the decentralized technology are the tokens that are used as an asset.
3 · Few external audits to guarantee security
4 · Abusive capital management practices
72% of the audited games act in an abusive manner or have overly powerful administrator roles, the research reveals. Some of these practices include adding addresses to a "Black List" to freeze tokens, changing the percentage of transaction fees to benefit the administrator, or creating an unlimited number of tokens with no administrator restrictions. Practices that can affect the value of tokens and that often go unnoticed by ordinary users
The audit has also revealed that there are games that allow administrators to transfer or destroy tokens from users without their consent or withdraw all funds to an address with just one click. While these are practices probably designed to protect users' funds in case of emergency, they pose a great risk in case the administrator's account is hacked and attackers gain access to the funds.
5 · Outdated software and configurations
6 · Manual transactions
Decentralized finance platforms, which move large sums of money on a daily basis, must be as transparent as possible to generate trust and certify that they are not involved in any kind of cheating or manipulation. The Sofistic team has been able to verify that, in some games, critical transactions such as the exchange of tokens for real money are validated manually, opening the door to possible human errors or manipulation and moreover, to the possible loss or leakage of keys. All transactions should be automated, through smart contracts, so that they are executed with maximum guarantees and their value is checked in real time
Although 8 out of 10 games include a section on token economics in their technical information, yet only 10% implement it through a smart contract that certifies that no cheating or manipulation is committed. In addition, most games (7 out of 10) that have a marketplace to sell, for example, NFTs or exchange tokens manage it independently without resorting to third parties. Although the provision of your own trading platform saves on commissions and offers a greater degree of freedom to customize the process, it is more prone to vulnerabilities compared to a third-party platform that has been tested more
7 · The maturity of the code is lacking
60% of the audited code lacks descriptive comments about its functionality that would help other developers or users. Descriptive comments, considered a good development practice, help in maintaining solutions and debugging. Testing is also a good development practice to check the proper functioning of the code and may help to avoid some of the bugs found that could, for example, render the entire marketplace of the game unusable.
In addition, some contracts take up a significant number of computational resources, known as "gas", to execute and this generates higher costs. Other faults detected include repeated code, unused code or code with insecure functions. A whole set of deficiencies were found that hinted at a lack of development experience, based on the audited the research, which warns that this type of problem can be maintained over time, since smart contracts are generally immutable and, therefore, impossible to update or alter.
Methodology for auditing solutions operating on the blockchain
Following the usual ethical hacking procedure, all of these vulnerabilities were reported to the developers and manufacturers of the audited games to make them aware of the possible security breaches to allow them the opportunity to fix them. In addition, based on pentesting experience, the Sofistic team has established a methodology for investigating and auditing both smart contracts and Web3 security or other projects and solutions operating on the blockchain.
An in-depth cybersecurity audit is required to review all components of the project such as code analysis or else, to evaluate the the different elements of the blockchain, both inside and outside. Essentially, although this decentralized technology is safe and reliable as it is encrypted, the added components may have their own security gaps. These projects must be made secure and any external threats must be minimized as much as possible.
The vulnerabilities and lack of transparency detected in DeFi games could be exploited by cybercriminals to manipulate the game and take control of the tokens.
An external audit is the best way for this type of platform to protect the funds and assets of users, giving them maximum confidence.
Learn more about Sofistic's new blockchain services.