A proof-of-concept (PoC) hack of the Manarium play-to-earn (P2E) gaming platform allowed researchers to arbitrarily change their scores to win daily tournaments and collect crypto tokens, while avoiding the initial buy-in required to access the system.
P2E gaming (also known as GameFi or crypto gaming) involves using nonfungible tokens (NFTs) as in-game currency of a sort: Players can sell their NFTs to other collectors and players for use as avatars and other role-playing devices, and they can earn them by winning games or through in-game advertising.
Several models exist, and so far, P2E has been wildly successful: “The play-to-earn market has become one of the biggest niches of Web 3.0,” according to an analysis from Hacken last August, published on the eGamers website. “The market capitalization of play-to-earn projects, as of the beginning of July 2022, is $6.5 billion, and the daily trading volume is greater than $850 million.”
As is the case in the decentralized finance (DeFi) arena, the increasing amounts of crypto being transacted via P2E games has attracted cybercriminal notice, according to new analysis from researchers at Blaze Information Security. So, they set out to test the security of the Manarium platform and encountered three levels of insecurity along the way.
Easy Ways to Game the Gaming System
In Manarium’s case, the platform supports minigames that each offer a daily tournament. Users connect their wallets to the game and are verified; they pay 300 ARI (a type of token that can be swapped for