Author: Hacken
Source: Hacken
The "earn while you play" (P2E) market has become one of the biggest niche markets of Web 3.0. As of the beginning of July 2022, the market value of P2E projects is 6.5 billion US dollars, and the daily trading volume exceeds 850 million US dollars. With more than 3 billion video game players worldwide, the video game industry is likely to be a major conduit for further growth in cryptocurrencies.
P2E has a strong connection to virtual assets, so it shares many of the risks posed by cryptocurrencies, including cybersecurity threats. The more money the industry attracts, the easier it becomes a target for criminals.
In this environment, security becomes one of the most pressing concerns in this niche. So what are the current trends in P2E security? Can we expect to reduce the number of hacks, or create common security standards for the industry?
In March 2022, one of the most famous P2E projects, Axie Infinity, was hacked and lost $625 million, making it the largest hack in the P2E niche to date. Before the attack, the platform was attracting more than 2 million users per day.
Axie Infinity is built on top of its native blockchain, Ronin. Attacking Ronin, the hackers managed to break into Axie Infinity's systems, using keys to verify transactions on the network. By accessing 5 validator nodes (4 of which belong directly to Axie Infinity and 1 is a third-party node run by Axie DAO), they managed to fake a fake withdrawal. The Sky Mavis team believes the hack is related to technical vulnerabilities and social engineering.
Let’s assess the state of P2E cybersecurity using data from encrypted cybersecurity data aggregator CER.live. CER.live analyzes hundreds of metrics from P2E and GameFi projects to create the most comprehensive security ranking.
Currently, the P2E crypto game industry includes more than 170 projects and 44 venture capital funds with a market capitalization of more than $5 million. The top 5 are The Sandbox, Decentraland, Axie Infinity, Stepn and Gala.
The current cybersecurity analysis covers 31 projects and the results are not satisfactory. While only Axie Infinity has had a safety incident, none of those projects have received a safety rating of AAA, AA, or even an A. (CER.live uses a classic rating method, with AAA being the highest rating and D being the lowest. A rating below DDD means an increased risk of future hacking or other security incidents.)
According to the data provided by CER.live, we can see that the GameFi project puts profit above safety, and does not even follow the most basic network security recommendations, leaving a large number of attack entrances for criminals.
Technologist and Farcana CEO Ilman Shazhaev said the next big question is the popularity of blockchain bridges in Play-to-Earn and their vulnerabilities. In Axie's case, however, the hackers were after more than money: By disrupting games played by millions, the hacker's or organization's pseudonym quickly spread as they gained some kind of fame.
Ilman added: "Another breach involved insiders, where hackers bribed a team member who divulged the information they needed, thereby stealing users' funds. The process wasn't always about sharing login credentials: sometimes it was surreptitiously telling hackers vulnerabilities, even in the case of advanced cybersecurity policies.
Of course, we also cannot forget the raw nature of many projects. Many P2E game developers want to get their games to market as quickly as possible: At the same time, some developers forego high-quality code reviews in order to save money and time. "
So, what are the necessary security considerations for GameFi projects?
Automated and manual analysis of code allows detection of vulnerabilities of different severity levels and resolution of security issues and business logic flaws. Among the audited projects, suppliers of smart contract audit services with the lowest incident rate include OpenZeppelin, ConsenSys, and Hacken.
With a bounty program, dozens or even hundreds of ethical hackers simultaneously conduct independent analyzes of a project's security and are rewarded monetaryly for the vulnerabilities they find. The main bug bounty platforms include BugCrowd, HackerOne, HackenProof, ImmuneFi, Synack, and YesWeHack.
With insurance in place, projects and their users can get full or partial refunds for the funds they lost in the hack. The main insurance providers are Nexus Mutual and InsurAce.io and inSure etc.
After Axie Infinity was hacked, many criminals realized that P2E encrypted games have accumulated huge assets, which they can easily steal from through well-planned attacks. Security experts admit that large-scale hacking of P2E games is almost inevitable in the future. The further popularity of P2E and GameFi encryption projects will be accompanied by an increase in cybercrime against these players.
In such situations, players should be aware that they must take care of their own safety. Before committing a large sum of money to a P2E game, users should at least conduct a basic security review of the project using data provided by independent platforms such as CER.live and CoinGecko. Of course, investing in P2E, while still profitable, comes with considerable risks.
Meta is revamping its metaverse avatars with a major update launching on October 1st, allowing users to customize features like eye size and body types. Future updates will include AI-generated avatars and new options for fantasy characters, enhancing user experience in the metaverse.
JoyA scam targeting cryptocurrency investors in Hong Kong has led to losses of HK$14.8 million, with victims tricked into making transactions at fake exchange shops. One businessman lost HK$4 million after realizing he was locked inside a shop while scammers escaped with his money.
WeatherlyChina announced a "policy bazooka" on Tuesday, introducing measures to boost its economy, including cuts to mortgage rates, the reserve requirement ratio, and new stock market support tools. The key question: will this stimulus boost crypto or push interest towards cheaper fiat currencies?
CatherineLINE NEXT has launched “Super Mates,” an app that allows fans to interact with AI-driven avatars of their favorite artists in English, Korean, or Japanese. To celebrate, they’ve partnered with K-pop group aespa, offering exclusive rewards and merchandise while inviting users to engage in various activities until October 2024.
JoyAt the TOKEN 2049 Summit in Singapore, BONK, a meme coin under the US blue-chip public chain Solana, announced that it would launch an ETP and hinted that an ETF might be launched in the future. The token has skyrocketed by more than 8,788% in one year.
AlexA report by crypto analysis company Chainalysis shows that China's over-the-counter cryptocurrency transactions attracted $75 billion, and about 55% of over-the-counter cryptocurrency transactions exceeded $1 million.
MiyukiThe TUSD stablecoin has been decoupled from the US dollar in the short term, and the decentralized exchange Curve Finance has removed TUSD from its stablecoin crvUSD collateral. After BUSD encountered US regulation, Binance Exchange has stepped on the thunder for the second time and has stopped Launchpool support for TUSD.
WeiliangDonald Trump proposed that the U.S. national debt of $35 trillion could be eliminated with cryptocurrency, sparking laughter at a recent event and raising questions about his understanding of economic policy. His comments reflect a broader trend among political figures to simplify complex fiscal issues, highlighting a disconnect between rhetoric and reality in the discussion of national debt.
WeatherlyOnyx Protocol recently lost $3.8 million in a hack exploiting a known vulnerability in its forked Compound V2 code. Attackers targeted empty markets, echoing similar breaches in other Compound forks, highlighting ongoing security concerns in DeFi. This is not Onyx Protocol's first breach.
CatherineThai authorities arrested nine Vietnamese men for detaining a Thai woman and a Taiwanese man over a cryptocurrency dispute involving a 1.7 million baht debt. The suspects used violence against the Taiwanese man, threatening him and demanding payment, while police swiftly intervened after the man's family reported his abduction.
Anais