Article Hash (SHA1): bd9ca749e77416b81d65fff2457626ecfdaf59e2

Number: Lianyuan Security Knowledge No.022

The recent domestic 3A game "Black Myth: Wukong" has aroused the enthusiasm of gamers around the world, successfully attracted a large number of domestic and foreign players, and also triggered everyone's thinking about the development of blockchain games (GameFi). In the continuous development of Web3 games, security and innovation models are always key issues. Take the EVM-compatible game-specific chain Ronin Network as an example. In March 2022, Ronin Network experienced a serious security incident. Hackers stole the private keys of 5 validators and forged withdrawals, resulting in a loss of more than 600 million US dollars. This incident is not only one of the largest hacker attacks in the history of cryptocurrency, but also one of the most serious security incidents in the field of chain games. By carefully examining such security risks, Web3 games need to continuously improve technical protection measures to ensure the security of players' assets and the stability of the overall game ecology.

Reflection on the development of GameFi triggered by Black Goku

  • Improve the overall quality of the gaming experience

The success of "Black Myth: Wukong" lies not only in its cultural background, but also because of its excellent visual effects and smooth gaming experience. For the GameFi project to achieve similar success, it must ensure that the game is interesting and attractive, which requires developers to dig deep into the gameplay rather than just hype the technology. Providing a high-quality experience of the same texture in a decentralized environment is one of the core challenges facing blockchain games. By optimizing smart contracts, improving the processing power of blockchain, and reducing transaction costs, it can ensure that players are not affected by technical limitations, thereby improving the gaming experience.

  • Building a sustainable economic system

Although GameFi generally relies on the “Play-to-Earn” model, over-reliance on this strategy may lead to unsustainable economic systems. The design concept of “Black Myth: Wukong” provides inspiration for blockchain games—complex and diverse economic models can be adopted, and a reward system can be introduced based on player contributions to ensure the stability of economic parameters. Tokens should not be the fundamental driving force of the game, but should be regarded as one of the value-added services. Over-reliance on the value of Tokens will put the game into a vicious circle.

  • Strengthen community and user engagement

There is a passionate player community behind Black Myth: Wukong. This community power is one of the important factors for the success of the game, which is also a key factor for the success of blockchain games. Blockchain game developers should pay attention to community building, empower players through forms such as DAO, and improve user stickiness. However, the basis of all this is that the quality of the game is attractive enough and worthy of players' long-term investment. Many teams only pursue short-term gains and lack the courage to invest in the long term, so it is difficult to achieve legendary success.

  • Enhance players' sense of belonging and creativity

In Black Myth: Wukong, the game characters and stories are controlled by the developers; in blockchain games, players can truly own in-game assets through NFTs and smart contracts. Such settings can enhance players’ sense of belonging and creativity and create a more attractive ecosystem.

  • The intrinsic value and challenges of blockchain games

The main problem of blockchain games is that they rely too much on tokenization and ignore gameplay. The development team should learn to find a balance between risk and return. As a pastime, games should put entertainment first rather than economic benefits. Although blockchain games have solved some drawbacks of traditional games by going on the chain, such as asset ownership, liquidity and asset interoperability, and have improved transparency and fairness, many blockchain games simply implant token economies into traditional games. The case of Black Wukong reminds us that only by deeply combining game design with blockchain technology can we create new black myths, promote the continuous development of the industry, and meet the market's growing demand for high-quality content. For example, we can explore innovations such as cross-game asset interoperability based on blockchain, decentralized game world generation, and player-independent economic systems.

GameFi’s new model: ServerFi

On August 12 this year, a paper said to be published by a "Yale University professor" first proposed the concept of "ServerFi", stating that it "emphasizes privatization through asset synthesis and focuses on a model that provides continuous rewards for high-retention players." ". Research shows that ServerFi is effective at keeping players engaged and ensuring the long-term viability of gaming ecosystems. The core of ServerFi mainly focuses on the following three aspects:

1. Number of players: This is the premise for the establishment of ServerFi. Insufficient number of players will limit the interaction between players and the creation of assets, which is one of the main challenges faced by both ServerFi and traditional GameFi.

2. Server value: is the core of ServerFi’s operation. Through the improvement of the in-game economic system, the server accumulates quantifiable value and is linked to the legal currency system. This value formation and monetization is the key to the continued power of the ServerFi model.

3. Contribution return ratio: As an adjustable parameter, it changes the fixed income setting in traditional games. ServerFi builds players, servers and project parties into a community of interests, thereby motivating the investment and maintenance of all participants.

GameFi on-chain and off-chain security issues

The essence of games is pastime and entertainment. Traditional web2 games are very different from web3 games, because GameFi will not only provide players with token incentives, but also give players ownership of game assets, creating game projects with the characteristics of crypto economy and decentralization. However, the current blockchain game market is mixed, it is difficult to distinguish between true and false, there are endless tricks, and there are many pitfalls. GameFi faces many security vulnerabilities and hacker attacks in its development. These threats not only pose a serious threat to the security of users' assets, but also have a serious negative impact on the healthy development of the entire GameFi ecosystem.

On-chain security challenges include:

  • Token contract vulnerability

GameFi projects typically use one or more tokens for in-game purchases and rewards. The token contract is responsible for managing the minting, trading, and destruction of tokens. If there are vulnerabilities, it may seriously affect the game's economic system. Token contracts often face centralization risks. Contract owners or administrators have too much authority and may modify transaction fees, restrict transactions, issue additional tokens, or adjust account balances.

  • Business contract loopholes

The business contract in the GameFi project is responsible for implementing gameplay and reward distribution. Developers usually design it as an upgradeable contract. The ChainSource security team's security recommendations for upgradeable contracts include:

Initialize contracts and dependencies: Forgetting to initialize them at deployment time can lead to serious vulnerabilities.

Be aware of storage conflicts: When upgrading a contract, modifying storage may cause conflicts, leading to data errors or fund losses.

Permission control: Limit the contract upgrade permissions to prevent attackers from obtaining upgrade permissions through private key theft or governance attacks.

  • NFT Vulnerabilities

NFT is used in GameFi to represent player assets, and its value is guaranteed by quantity and rarity. Improper implementation may bring security risks, especially randomness generation. GameFi projects should use reliable information sources in activities such as blind boxes and random rewards to reduce prediction and manipulation risks. In addition, the project party should securely store the metadata of NFTs and IPFS hash values ​​to prevent metadata leakage in advance. Operators need to carefully distinguish between ERC-1155 and ERC-721 tokens. ERC-1155 supports batch transfers, while ERC-721 requires multiple transfers. Previously, TreasureDAO on the Arbitrum chain was attacked for not distinguishing between the two tokens.

  • Cross-chain bridge vulnerability

The cross-chain bridge is used to synchronize game assets between different blockchain networks and is an important component to improve the liquidity of the GameFi project. The danger lies in the fact that contract vulnerabilities may cause assets to be out of sync on the connected chains. The cross-chain bridge verification node is also a potential risk. It is recommended to add verification nodes and store private keys securely.

Off-chain security challenges include:

Most GameFi projects rely on off-chain centralized servers to handle some backend logic and interfaces. These servers store critical information, including game logic and player account data, and are vulnerable to malicious attacks. For example:

  • Tampering with NFT data

The metadata of game NFTs is critical, but many GameFi projects tend to store them on centralized servers rather than decentralized facilities like Arweave, which increases the risk of internal or external attackers tampering with the data and affecting the ownership and interests of players' assets.

  • Phishing Attacks

Attackers use phishing to obtain sensitive information from project owners, such as private keys to game vaults or GitHub accounts, which may trigger supply chain attacks, expand the scale of attacks, and cause more losses.

Conclusion

The road to shaping the future of Web3 games is full of opportunities and challenges. Through some new technological developments, we see new hope in maintaining fairness, security, and innovation in games, and we have also learned valuable lessons from successful cases such as Black Myth: Wukong: high-quality content and excellent gaming experience are still the core of attracting players. However, game developers must be vigilant about potential security threats, especially in on-chain and off-chain technical implementation. By strengthening technical protection, improving the sustainability of economic models, and promoting broader community participation in the industry, Web3 games are expected to achieve stronger growth and deeper player connections in the future, ultimately driving the positive development of the entire GameFi industry.

Lianyuan Technology is a company focused on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully recovered many stolen digital assets for individuals and institutions. At the same time, we are committed to providing industry organizations with project security analysis reports, on-chain traceability and technical consulting/support services.

Thank you for your reading. We will continue to focus on and share blockchain security content.