Big hack on games to earn crypto games is a “matter of time:” Report
“Unsatisfactory” cybersecurity measures among play-to-earn (P2E) crypto games pose a major risk to GameFi projects and their players, warns blockchain cybersecurity auditor Hacken.
In a Monday report shared with Cointelegraph, Hacken said that data indicates that GameFi projects, the category into which P2E games would fall, often “put profit over security” by releasing products without taking appropriate precautions against hackers:
“GameFi Projects […] fail to follow even the most essential cybersecurity recommendations, leaving malicious actors with many entry points for attack.”
P2E games often include non-fungible tokens (NFTs) in their ecosystems in addition to crypto. The largest projects, such as Axie Infinity (AXS) and StepN (GMT), use a wide range of products designed to improve the gaming experience, such as token bridges, blockchain networks or physical goods.
Hacken researchers found that based on data collected by the crypto security rating service CER.live., there were serious deficiencies in GameFi cybersecurity in particular. It found that of 31 GameFi tokens studied, none received the top AAA security rating while 16 received the worst D score.
The rankings for each project were determined by weighting various aspects of their online security, such as token audits, whether they have a bug bounty and insurance, and whether the team is public.
Hacken’s report explained that GameFi projects typically scored low when they found that no P2E projects had insurance coverage, which could help projects recover funds immediately in the event of a hack.
The lack of insurance has been partially confirmed by crypto insurer InsurAce’s chief marketing officer Dan Thomson, who told Cointelegraph on Thursday that it did not cover any P2E projects.
The report also found that only two projects have an active bug bounty program in place. Axie Infinity and Aavegotchi have bug bounties that provide monetary compensation to white hat hackers for finding bugs in the project’s code.
Finally, it found that while 14 projects have received a token audit, only five have completed a platform audit that can find potential security holes throughout the project’s ecosystem. These include Aavegotchi, The Sandbox, Radio Caca, Alien Worlds and DeFi Kingdoms.
While Hacken’s report paints a bleak picture of the state of GameFi cybersecurity, Illuvium co-founder Kieran Warwick shared the extensive measures his project is taking to protect users.
Warwick told Cointelegraph on August 5 that he knows “GameFi projects like ours are among the prime targets for hackers these days.”
As a result, he said his project has stepped up security to combat exploits by adding a dedicated security team, launching a $150,000 bug bounty program and having new products audited.
Warwick added that the project’s Discord server provides security rules and tips to new users joining to add an element of education to security measures. He said:
“The safety and trust of our users comes first.”
Aside from the main elements of the game, the Hacken report pointed to token bridges as a vulnerability for P2E games. Axie Infinity’s Ronin token bridge was the site of one of the crypto industry’s biggest ever hacks when it lost over $600 million worth of tokens in March.
Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis
As P2E games grow in popularity, there will likely be an increase in the number of security exploits and dollar value stolen from projects, Hacken said. The firm has advised players to carry out their own security checks on projects before sinking a large sum of money into them:
“And, of course, remember that investing in P2E is still a potentially profitable but rather risky affair.”
On Wednesday, cryptoanalyst Miles Deutscher asked rhetorically where the next cryptosecurity concern might come from. Deutscher may have the answer.
We started from:
> Meme coins are not safe
> DeFi ponzis are not safe
> Stablecoins are not safe
> Top 10 L1s are not safe
> Bridges are not safe
> CEXs are not safe
> Wallets are not secure
What will be next..
— Miles Deutscher (@milesdeutscher) 4 August 2022