“Unsatisfactory” cybersecurity measures among play-to-earn (P2E) crypto games pose a great risk to GameFi projects and their gamers alike, warns blockchain cybersecurity auditor Hacken.
In a Monday report shared with Cointelegraph, Hacken said that data indicates that GameFi projects, the category which P2E games would fall under, often “put profits above security” by releasing products without taking appropriate precautions against hackers:
“GameFi projects […] do not follow even the most essential cybersecurity recommendations, leaving malicious actors numerous entry points for attacks.”
P2E games often incorporate nonfungible tokens (NFTs) in their ecosystems in addition to crypto. The largest projects, such as Axie Infinity (AXS) and StepN (GMT), use a wide array of products designed to enhance the gaming experience, such as token bridges, blockchain networks or physical merchandise.
Hacken researchers found that based on data collected by crypto security ranking service CER.live., there were severe deficiencies in GameFi cybersecurity in particular. It found that out of 31 GameFi tokens studied, none received the top security ranking AAA while 16 received the worst D score.
Rankings for each project were determined by weighting various aspects of their cybersecurity, such as token audits, whether they have a bug bounty and insurance and if the team is public.
Hacken’s report explained that GameFi projects typically scored low as it found that no P2E projects had insurance coverage, which could help projects recover funds immediately in the instance of a hack.
The lack of insurance is partially confirmed by crypto insurance firm InsurAce’s chief marketing officer Dan Thomson, who told Cointelegraph on Thursday that it was not covering any P2E projects.
The report also found that only two projects have an active bug bounty program in place. Axie Infinity and Aavegotchi have bug bounties that award monetary compensation to white hat hackers for finding bugs in the project’s code.
Finally, it found that while 14 projects have received a token audit, only five have completed a platform audit which could find potential security holes in the project’s entire ecosystem. These include Aavegotchi, The Sandbox, Radio Caca, Alien Worlds and DeFi Kingdoms.
While Hacken’s report paints a gloomy picture of the state of GameFi cybersecurity, co-founder of Illuvium Kieran Warwick shared the extensive measures his project takes to protect users.
Warwick told Cointelegraph on Aug. 5 that he knows “GameFi projects like ours are among the prime targets for hackers these days.”
As a result, he said that his project has stepped up its security to combat exploits by adding a dedicated security team, launching a $150,000 bug bounty program, and getting new products audited.
Warwick added that his project’s Discord server provides security rules and tips to new users who join in order to add an element of education to its security measures. He said:
“The safety and trust of our users comes first.”
Aside from the main in-game items, the Hacken report pointed to token bridges as a vulnerability for P2E games. Axie Infinity’s Ronin token bridge was the site of one of the crypto industry’s largest hacks ever when it lost over $600 million in tokens in March.
Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis
As P2E games grow in popularity, there will likely be an increase in the number of security exploits and dollar value stolen from projects, said Hacken. The firm has advised gamers to perform their own security check of projects before sinking a large sum of money into them:
“And, of course, keep in mind that investing in P2Es remains a potentially profitable but quite risky affair.”
On Wednesday, crypto analyst Miles Deutscher asked rhetorically where the next crypto security concern may come from. Deutscher may have his answer.
We went from:
> Meme coins not being safe
> DeFi ponzis not being safe
> Stablecoins not being safe
> Top 10 L1s not being safe
> Bridges not being safe
> CEXs not being safe
> Wallets not being safeWhat’s next..
— Miles Deutscher (@milesdeutscher) August 4, 2022