overview

BigTime caused a craze in GameFi after the token was launched on October 10, 2023. The team started paying attention to BigTime in September but has not been able to conduct analysis due to lack of qualifications. After the registration threshold was recently lowered, we began to conduct a series of security analysis and analysis on BigTime. Testing, including tampering with game client attributes, GameRPC malicious call testing, token contract auditing, etc. Through the overall evaluation of the game, we found that the game has poor security and the cost of cheating is low for malicious players. And the game is easy to analyze. If the project team wants to continue operating the game, improving the security and fairness of the game should be the first priority in later operations.

Game background

Ø Game version for evaluation: v0.28-CL#78459

Ø Game type & game engine: MMORPG, UE4.27

Ø Possible problems with gameplay:

• Illegal movement (malicious packets through RPC for teleportation, acceleration, etc.)

• Acceleration (in-game world time, time function under UE framework)

• One-click combo/one-click skill cycle

• NFT forging accelerated

• NFT random number manipulation

• Multiple settlements after the copy ends

Game security analysis

Game code protection:

Analysis process: 1. Since different engines have different analysis modes, after obtaining the game EXE, you first need to determine the engine used by the game. By identifying the basic game information, we can determine that the game was developed using UE4.27.2.

2. Import the game into IDA and find that the game code has not been reinforced, and the GWorld variable can be quickly located through the feature code search of UE4.27

And it can be found that the string is also not encrypted.

Therefore, after confirming that Gworld can be located through the signature and the game is not encrypted, you can dump it through some SDK Dump tools by extracting the NamePool signature.

After obtaining the game SDK, the analysis can be accelerated.

Analysis conclusion:

​​​​ BigTime scores 0 for game code protection, meaning no protection at all. In traditional games, source code is often protected by custom encryption, packaging, and other methods. Since BigTime does not have a sound basic game code protection, the threshold and cost for malicious players to analyze the code are very low. If there are plug-ins, it is unfair to normal players and may cause damage to the game's economic model. Influence.

Game basics anti-cheating:

Analysis process:

1. In terms of basic anti-cheating detection, we mainly test from two aspects. One is whether the game has anti-debugging, and the other is whether the game has read and write protection.

2. Use CE to attach when the game is open, and set a breakpoint on the general function, and find that the game does not exit, or prompts

3. Use CE to modify the Health in the game, and found that it can take effect and there are no pop-ups or prompts in the game. (Modifying Health is only for a more intuitive display. This field is generally stored on the server, and it has no effect when modified locally)

Analysis conclusion:

1. BigTime’s anti-cheating ability score is 0. If there are malicious users, they can cheat at will. 2. The reason why we only test anti-debugging and read-write protection is that for a plug-in, finding data and implementing functions can only be achieved through debugging and reading and writing. If the two most basic protection capabilities are missing, then some injection, hook and other detections will be meaningless.

game logic issues

Analysis process:

For MMO-type games developed based on UE, the benefits of tampering with local data are very low. The reason is that UE has a well-established synchronization mechanism for synchronization between each Actor and other attributes and server-side verification. However, by analyzing the game Looking at the source code, it is obvious that BigTime does not use the attribute synchronization mechanism properly. Some data are still implemented, such as the Comboindex function. By setting a write breakpoint on the combo Index, you can find the write function, and then you can debug the combo function. . (Specific operations will affect fairness and will not be demonstrated)

Analysis conclusion:

1. BigTime’s overall game logic security problem is not very prominent, but there are still certain security risks, so the logic security score is 4 points.

2. There is a lack of synchronization mechanism for some sensitive attributes, and more should be encrypted on the server side.

Game RPC analysis

Since the RPC issue is relatively sensitive, analysis will not be carried out temporarily without authorization from the project party. The current BigTime RPC security protection is 0, and after testing, it is found that the server will recognize some RPC packages, and their security score is 0. It is recommended that the project team conduct a detailed audit on the overall security of RPC. The picture below shows some RPC information.

WEB3 security analysis:

overview:

As a chain game, Bigtime can be divided into two parts in terms of Web3 design, namely: the basic bigtime token part, and the in-game WEB3 economic system part. This part of the design is relatively separate from other games. The game is responsible for generating tokens and forging NFTs, and at the same time deploying a fixed-circulation token contract on ETH.

Token contract security:

The basic information of the token is as follows:

Address：0x64Bc2cA1Be492bE7185FAA2c8835d9b824c8a194

Symbol：BIGTIME

Owner：0xc3322716475fba83bfc057112247a43f1a1f2c4c(GnosisSafe)

TotalSupply：5,000,000,000

The BigTime token contract uses Mint tokens to a multi-signature wallet and then deploys them with a fixed supply. Because the current token contract functions are simple, the basic security of the contract is sufficient. By observing the Tx information of the Owner wallet, you can see that the Owner wallet transferred some tokens to several wallets after acquiring the tokens.

Most of these wallets are multi-signature wallets using Safe. Based on this, it can be found that the current overall security risks related to tokens mainly come from the leakage of private keys and the existence of privileged accounts on the project side. Although multi-signature is used, there is still a certain risk of currency theft if the private key of a privileged account is leaked.

In-game economic system security:

In BigTime, players can enter the space of the space-time guard to perform operations such as forging the time hourglass, charging the time hourglass, etc. Some of these functions that can directly affect the market balance are stored and executed locally. Although it is not clear how GS is designed. But this behavior is high-risk behavior. as follows

There are many RPC functions like this. Considering the high cost of testing, we will not do any security testing for the time being. We hope that the project team can make strict judgments on this part of the content on the server.

About Damocles

Damocles labs is a security team established in 2023, focusing on the security of the Web3 industry. Its business includes: GameFi code audit, GameFi vulnerability mining, GameFi plug-in analysis, GameFi anti-cheating, contract code audit, business code audit, penetration testing, etc.

我们会在Web3安全行业持续发力，并且尽可能多的输出分析报告，提升项目方和用户对GameFi安全的感知度，以及促进行业的安全发展。
Twitter: https://twitter.com/DamoclesLabs
Discord: https://discord.gg/xd6H6eqFHz