Bugs in Manarium Play-to-Earn show encryption insecurity

A proof-of-concept (PoC) hack of the Manarium play-to-earn (P2E) gaming platform allowed researchers to arbitrarily change their scores to win daily tournaments and collect crypto tokens while avoiding the initial buy -in required to access system.

P2E gaming (also known as GameFi or cryptogaming) involves the use of non-fungible tokens (NFTs) as a kind of in-game currency: players can sell their NFTs to other collectors and players for use as avatars and other role-playing devices, and they can earn them by winning games or through in-game advertising.

There are several models, and so far P2E has been very successful: “The play-to-earn market has become one of the biggest niches in Web 3.0,” according to an analysis by Hacken last August, published on the eGamers website. “The market value of play-to-earn projects, at the beginning of July 2022, is $6.5 billion, and the daily trading volume is greater than $850 million.”

As is the case in the decentralized finance (DeFi) arena, the increasing volumes of crypto transactions transacted via P2E games have attracted cybercrime, according to new analysis by researchers at Blaze Information Security. So they set out to test the security of the Manarium platform and encountered three levels of uncertainty along the way.

Easy ways to play the game system

In Manarium’s case, the platform supports mini-games that each offer a daily tournament. Users connect their wallet to the game and are verified; they pay 300 ARI (a type of token that can be exchanged for NFT art) in ante; then they play in a tournament hoping to win part of the prize pool (in the form of more ARI). Once the tournament is over, the game’s back-end server tallies the scores, and connects to the winners’ smart contracts to pay out the earnings to users’ verified cryptocurrency wallets.

First, by parsing one of the platform’s JavaScript files, an obviously named function jumped out at Blaze researchers: “UpdateAccountScore.”

The function passes the following parameters: firebase.firestore().collection(“GameName”).doc(“USER_WALLET”).set(JSON.parse(“{\”wallet\”:\”USER_WALLET\”,\”score \” :SCORE}”), and the researchers found that they were able to change these parameters at will in the Manarium interface’s console tab via the game window.

“This vulnerability is more dangerous because they did not verify if the user paid the original tax (300 ARI) to play the game when he paid (for winners), so anyone who just runs this line of code can receive tokens without playing the game or paying the tax, ” according to the analysis.

Manarium quickly fixed the vulnerability, but the update itself was flawed because it added hard-coded credentials into the mix.

“Manarium Team changed the way to send the scoreboard [data] to [back-end] the service, by adding authentication before sending the data, and this authentication must only be done via an admin account,” according to the analysis. “The problem was that the Manarium Team hardcoded [admin] credentials on the file “Build.data.”

It allowed the researchers to manipulate the game data by entering the credentials, generating an authentication token and updating the score.

In response, Manarium implemented what it called a “Super Anti-Cheat” that used behavioral analytics to root out abusers.

Super Anti-cheat error

As the researchers described, “Anti-cheat validates the following fields: sessionTime, timeUTC and score, where the user must have sufficient time to make the score. In other words, if a user scores 10 points during a session time of one. secondly is this impossible [and] the anti-cheat will detect a possible cheater.”

However, it took the Blaze researchers less than 20 minutes to bypass the anti-cheat mechanism. They created “a script with a human behavior (a simple sleep and some random numbers) that will generate a high score in a timed human compatible [way],” according to the post. And to add insult to injury, “in the next versions of the script, we implemented … multithreading and support to exploit all three games simultaneously.”

Manarium eventually locked down its system by eliminating any way for unsigned data to be modified or generated by a user, using a key system.

Blaze confirmed that the fix works, but the hunt (game?) is still on: “Future research will focus on searching for this key and again attempting another bypass,” the post concluded.

GameFi: Underperforming cybersecurity

The research adds to a growing drumbeat of concern around the crypto gaming sector. An analysis by Hacken last August concluded that P2E games generally have an “unsatisfactory” level of cyber security preparedness – and that a major hack on one of the platforms is “only a matter of time” because they “put profit over security”.

But the stakes for P2E players and investors are high: For example, in March 2022, a theft of $625 million in the Axie Infinity game caused the platform to see a massive drop in the number of users and the amount of money deposited by players per week. It is a setback from which it has yet to recover.

“GameFi projects … fail to follow even the most essential cybersecurity recommendations, leaving malicious actors with multiple entry points for attack,” according to the Hacken report, which characterizes this as a major oversight given how juicy a target P2E has become.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *