League of Kingdoms
(1) Introduction

As the dust from the FTX fallout begins to settle, GameFi has emerged as arguably the most resilient blockchain segment. Whilst the trading volume of crypto exchanges and the total value locked (TVL) of decentralized finance (DeFi) platforms have plummeted, the metrics for the GameFi market have remained relatively stable in terms of both its Unique Active Wallets (UAW) and transaction volume.

Image Post
GameFi Market’s UAW and Transaction Volume (Source: DappRadar)

The resilience of the GameFi market is quite remarkable considering the fact that 75% of crypto gamers are solely interested in earning cryptocurrencies. Whilst this is fine in the context of crypto gamers, the over emphasis of financial rewards by operators of GameFi projects through their policies of putting “profits above security” are subjecting their users to the risk of security vulnerabilities.

(2) Security Risks of GameFi Projects

As of December 2022, data collated by Footprint Analytics indicates that there are about 2,000 GameFi projects. In its report on the GameFi market released in August 2022, blockchain security audit company Hacken noted that only 5 GameFi projects have had their platforms audited.

Image Post
GameFi Projects with Platform Audits (Source: Avocado DAO)

The lack of technical audits for the platforms of GameFi projects result in these platforms being vulnerable to “51% of attacks including denial-of-service (DDoS) attacks, Sybil attacks, double-spending problems, race attacks, eclipse attacks, routing attacks, replay attacks, and some others.” An example of a DDoS attack involving a GameFi project took place in June 2022 when the platform of popular Move-to-Earn (M2E) game StepN was hit with 25 million DDoS attacks in a short period. The resulting network congestion led to the need for server maintenance.

As for token audits, data from CER.live indicates that out of the 31 audited GameFi tokens, none received the top security ranking of AAA whereas more than half i.e. 16 received the worst security rating of D. The lack of technical audits for the smart contract codes of GameFi tokens result in these codes being vulnerable to “hidden backdoors, issues with price oracles, excessive admin rights, reentrancy attacks, design vulnerabilities, and various other factors.”

An example of a backdoor hack involving a GameFi project is Axie Infinity’s USD650 million Ronin Bridge hack which according to the platform’s official blog occurred because “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.” After the hack, SkyMavis who is the developer of Axie Infinity has managed to relaunch the Ronin Chain and restore its operations, thereby allowing users to regain access to their funds.

(3) Technical Audits for GameFi Projects

In general, the palpable lack of cyber security measures among GameFi projects led Hacken to predict that it was “just a matter of time” before there is a major hacking incident involving such projects. A sure-fire way to mitigate the hacking risks of GameFi projects is for these projects to have their platforms and token smart contract codes technically audited. Besides Hacken, other blockchain security audit companies which provide technical audit services for GameFi projects are PeckShield and CertiK.

In addition to boosting the security levels of GameFi projects, the undertaking of technical audits would improve user trust and confidence by helping them to feel safe when using the platform or owning the tokens. A common scam that technical audits can help prevent is rug pulls of which they are 2 types i.e. hard and soft. ”Hard rug pulls occur when project developers code malicious backdoors into their token” whereas “soft rug pulls refer to token developers dumping their crypto assets quickly.”

Image Post
Hard and Soft Rug Pulls (Source: NFTNow)

Although technical audits of GameFi projects are not of much help in terms of preventing soft rug pulls, these audits do have a role to play when it comes to helping users identify GameFi projects which could potentially be subject to hard rug pulls. This is because technical audits would be able to identify potential malicious backdoors which have been coded into smart contracts of GameFi projects by developers who are planning to undertake a hard rug pull on their projects later on. Consequently, the absence of third party technical audits for the smart contract codes and platforms of a GameFi project raises a telling red flag about the risks of the project being subjected to a potential hard rug pull in the future. A recent GameFi rug pull is that of Dragoma in August 2022 which resulted in losses of about USD3.5 million.

(4) Conclusion

In terms of growth, the GameFi market is projected to record a compound annual growth rate (CAGR) of 23.7% from now till 2031 whereas the annual revenue of GameFi projects is forecasted to amount to a staggering USD74.2 billion by 2031. Consequently, the GameFi market is set to be a prime target for hackers over the course of the next decade.This renders it imperative that the gamification playground be secured through technical audits as the playground is meant for gamers, not hackers.