Big hack on games to earn crypto games a “matter of time:” Report

by · August 4, 2022

“Unsatisfactory” cybersecurity measures among play-to-earn (P2E) crypto games pose a major risk to GameFi projects and their players, warns blockchain cybersecurity auditor Hacken.

In a Monday report shared with Cointelegraph, Hacken said that data indicates that GameFi projects, the category into which P2E games would fall, often “put profit over security” by releasing products without taking appropriate precautions against hackers:

“GameFi Projects […] fail to follow even the most essential cybersecurity recommendations, leaving malicious actors with many entry points for attack.”

P2E games often feature non-fungible tokens (NFTs) in their ecosystems in addition to crypto. The largest projects, such as Axie Infinity (AXS) and StepN (GMT), use a wide range of products designed to improve the gaming experience, such as token bridges, blockchain networks or physical goods.

Hacken researchers found that based on data collected by the crypto security rating service CER.live., there were serious deficiencies in GameFi cybersecurity in particular. It found that of 31 GameFi tokens studied, none received the top AAA security rating while 16 received the worst D score.

The rankings for each project were determined by weighting various aspects of their cybersecurity, such as token audits, whether they have a bug bounty and insurance, and whether the team is public.

Hacken’s report explained that GameFi projects typically scored low as it found that no P2E projects had insurance coverage, which could help projects recover funds immediately in the event of a hack.

The lack of insurance has been partially confirmed by crypto insurer InsurAce’s chief marketing officer Dan Thomson, who told Cointelegraph on Thursday that it did not cover any P2E projects.

The report also found that only two projects have an active bug bounty program in place. Axie Infinity and Aavegotchi have bug bounties that provide monetary compensation to white hat hackers for finding bugs in the project’s code.

Finally, it found that while 14 projects have received a token audit, only five have completed a platform audit that can find potential security holes throughout the project’s ecosystem. These include Aavegotchi, The Sandbox, Radio Caca, Alien Worlds and DeFi Kingdoms.

The report also pointed to token bridges as a vulnerability for P2E games. Axie Infinity’s Ronin token bridge was the site of one of the crypto industry’s biggest hacks ever when it lost over $600 million worth of tokens in March.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

As P2E games grow in popularity, there will likely be an increase in the number of security exploits and dollar value stolen from projects, Hacken said. The firm has advised players to carry out their own security checks on projects before sinking a large sum of money into them:

“And, of course, remember that investing in P2E is still a potentially profitable but rather risky affair.”

On Wednesday, cryptoanalyst Miles Deutscher asked rhetorically where the next cryptosecurity concern might come from. Deutscher may have the answer.