A proof-of-concept (PoC) hack of the Manarium play-to-earn (P2E) gaming platform allowed researchers to arbitrarily change their scores to win daily tournaments and collect crypto tokens, while avoiding the initial buy-in required to access the system.

P2E gaming (also known as GameFi or crypto gaming) involves using nonfungible tokens (NFTs) as in-game currency of a sort: Players can sell their NFTs to other collectors and players for use as avatars and other role-playing devices, and they can earn them by winning games or through in-game advertising.

Several models exist, and so far, P2E has been wildly successful: "The play-to-earn market has become one of the biggest niches of Web 3.0," according to an analysis from Hacken last August, published on the eGamers website. "The market capitalization of play-to-earn projects, as of the beginning of July 2022, is $6.5 billion, and the daily trading volume is greater than $850 million."

As is the case in the decentralized finance (DeFi) arena, the increasing amounts of crypto being transacted via P2E games has attracted cybercriminal notice, according to new analysis from researchers at Blaze Information Security. So, they set out to test the security of the Manarium platform and encountered three levels of insecurity along the way.

Easy Ways to Game the Gaming System

In Manarium's case, the platform supports minigames that each offer a daily tournament. Users connect their wallets to the game and are verified; they pay 300 ARI (a type of token that can be swapped for NFT art) in ante; then they play in a tournament in hopes of winning a portion of the prize pool (in the form of more ARI). When the tournament is over, the game's back-end server tallies the scores, and connects with winners' smart contracts in order to pay out the earnings to the users' verified cryptocurrency wallets.

First, in analyzing one of the platform's JavaScript files, an obviously named function leaped out to Blaze researchers: "UpdateAccountScore."

The function passes the following parameters: firebase.firestore().collection(“GameName”).doc(“USER_WALLET”).set(JSON.parse(“{\”wallet\”:\”USER_WALLET\”,\”score\”:SCORE}”), and the researchers found they were able to change those parameters at will within the Manarium interface's Console Tab via the Game Window.

"This vulnerability is more dangerous because they didn’t verify if the user paid the initial tax (300 ARI) to play the game when making the payment (for winners), so anyone that just executes this code line could receive the tokens without playing the game or paying the tax," according to the analysis.

Manarium quickly fixed the vulnerability, but the patch itself was flawed because it added hardcoded credentials into the mix.

"Manarium Team changed the way how to send the scoreboard [data] to the [back-end] service, by adding authentication before sending the data, and this authentication must be done only via an admin account," according to the analysis. "The problem was, Manarium Team hardcoded the [admin] credentials on the file 'Build.data.'"

That allowed the researchers to manipulate the game data by entering the credentials, generating an authentication token, and updating the score.

In response, Manarium then implemented what it called a "Super Anti-Cheat" that used behavioral analysis to root out abusers.

Super Anti-Cheat Fail

As the researchers detailed, "The anti-cheat validates the following fields: sessionTime, timeUTC, and score, where the user must have sufficient time to make the score. In other words, if a user scores 10 points in a session time of one second, this is impossible [and] the anti-cheat will detect a possible cheater."

However, it took the Blaze researchers less than 20 minutes to bypass the anti-cheat mechanism. They created "a script with a human behavior (a simple sleep and some random numbers) that will generate a high score in a timed human-compatible [way]," according to the posting. And to add insult to injury, "in the next versions of the script, we implemented … multithreading and the support of exploiting all three games simultaneously."

Manarium finally locked down its system by eliminating any way for unsigned data to be modified or generated by a user, with the use of a key system.

Blaze verified the fix as working, but the hunt (game?) is still on: "Future research will focus on searching for this key and attempting again a new bypass," the post concluded.

GameFi: Underperforming Cybersecurity

The research adds to a growing drumbeat of concern around the crypto-gaming sector. An analysis from Hacken last August concluded that P2E gaming in general has an "unsatisfactory" level of cybersecurity readiness — and that a major hack on one of the platforms is "only a matter of time" because they "put profits above security."

But the stakes for P2E gamers and investors are high: For instance, in March 2022, a $625 million heist of assets held in the Axie Infinity game led to that platform seeing a massive falloff in number of users and amount of money put in by gamers per week. It's a setback from which it has yet to recover.

“GameFi projects … do not follow even the most essential cybersecurity recommendations, leaving malicious actors numerous entry points for attacks," according to the Hacken report, which characterizes this as a major oversight given just how juicy of a target P2E has become.

"While it is understandable to want to be the first to market on a product or application, the risk of deploying these digital asset games without the proper security for the on-chain and off-chain risks may put the organization at risk for a host of cybersecurity risks," says Karl Steinkamp, director of delivery transformation and automation at Coalfire.

He adds, "Instead, organizations should make sure they’ve gone through the motions of adequately hardening each of the components of their platform prior to launch, and then after that, on a periodic and reoccurring basis. Organization’s may utilize tools like DArcher and the like to validate that they have adequately addressed on-chain and off-chain risks."