After experiencing the GameFi gaming craze in 2021, represented by Axie Infinity, and the subsequent burst of the bubble, GameFi started to recover in the second half of 2023. The popularity of 3A blockchain game Bigtime drew significant attention to the GameFi market. On January 9, 2024, Arbitrum Layer3 Xai game-specific chain was officially launched. On January 12, the gaming platform SkyArk Chronicles completed a $15 million funding round led by Binance Labs. The combination of new public chains and games became a focal point in the market, with many users having high expectations for the future performance of GameFi.
Beosin has audited GameFi projects, including Ronin Network, SpaceRunners, WastedLands, Good Games Guild, and discovered security issues often overlooked by GameFi project teams. The current development status of the GameFi track, noteworthy projects, and the security challenges it faces will be analyzed by the Beosin team.
Overall Analysis of GameFi
In 2021, GameFi-related projects raised over $1.5 billion, with the total valuation of GameFi project development companies reaching nearly billions of dollars, excluding the market value of GameFi tokens. According to Blockchaingamer’s statistics, approximately 31% of GameFi projects have stopped development or are in an inactive state after the Web3 market’s winter.
Thanks to the market’s recovery and the popularity brought by new GameFi projects, the overall activity of GameFi has significantly increased. Top Ethereum blockchain games like Gala, Stepn, Axie, Sandbox, etc., saw record transaction volumes at the end of 2023.
In October 2023, the primary market funding in the GameFi track exceeded $100 million, with many GameFi projects raising millions of dollars for game development, testing, and promotion. In 2024, as numerous games enter public testing and official launch, the market’s attention to GameFi is expected to increase.
Key Projects in the GameFi Track
(Note: The following content does not constitute investment advice.)
Gaming Application Platforms
1. Ronin Network
Ronin is an EVM blockchain specifically designed for gaming, launched by Sky Mavis, the development team behind the once-popular blockchain game Axie Infinity. After experiencing security incidents in 2022, Ronin Network abandoned the original Proof of Authority (PoA) consensus. In 2023, Sky Mavis decided to upgrade the consensus mechanism to DPOS on April 12, reducing centralization risks. Beosin conducted a comprehensive audit of Ronin Network’s mainnet, smart contracts, etc., revealing security risks that were addressed with effective measures.
After the consensus upgrade, Ronin Network became more decentralized, with the number of validator nodes increasing from 9 to 22, and a total of 27 candidate validators. Governance validators are determined by Sky Mavis, Yield Guild Games, NonFungible.com, Nansen, Google, DappRadar DAO, and Animoca Brands, with the remaining 15 validator slots allocated to the community.
Currently, Ronin Network’s total TVL is approximately $150 million, and its ecosystem projects are rapidly developing. In 2023, Ronin collaborated with game studios such as Directive Games, Tribes, Bali Games, and Bowled.io, launching multiple games on the Ronin Network.
2. Immutable X
Immutable X is a zk-Rollup Layer2 focused on NFTs and GameFi, providing fast transaction confirmation, zero gas fees, and high scalability. Immutable X uses StarkEx technology to build Validium, a zk-Rollup solution similar to Plasma, where data is stored off-chain to reduce on-chain computation and increase TPS.
Immutalbe X’s ecosystem includes games like Gods Unchained, Guild of Guardians, and Illuvium, with Guild of Guardians and Illuvium issuing game tokens.
3. Xai
Xai is a Layer3 built on Arbitrum Nitro, focusing on incubating GameFi projects and user experience. Xai features backend wallet integration, providing a game experience with zero transaction fees and a unique game economic design. Xai has partnered with the game team Ex Populus to develop Final Form and LAMOverse on the Xai chain.
Xai has issued the XAI token, serving as the gas token and node rewards for the Xai chain. More use cases will be revealed when games go live on the network. Xai is listed on EagleEye, allowing users to monitor relevant on-chain activities.
4. Oasys
Oasys is an Ethereum sidechain designed for gaming, using PoS mechanism with Layer1 and Layer2. Layer1 is used for running tokens, NFTs, cross-chain bridges, and Rollup contracts, while games run on a proprietary, gas-free Layer2. Oasys Layer2 adopts Optimistic Rollup but removes the 7-day challenge period to improve user experience. Oasys currently has 6 Layer2s with 36 games running on them, allowing players to participate and earn OAS native tokens.
5. Gala
In November 2023, Gala Games announced a strategic partnership with DWF Labs to promote the widespread adoption of Galachain. Gala Games has launched multiple games and expanded its business into music and movies. Gala Games optimized its token model in January 2023, allocating Gala tokens spent on the platform to nodes to increase node earnings. Users can monitor Gala token on-chain activities through EagleEye.
6. Myria
Myria is an Ethereum Layer2 developed for GameFi. Similar to Immutable X, Myria collaborates with StarkWare, using StarkWare’s STARK prover and zk-Rollup technology, with transactions ultimately confirmed by the Ethereum network. The MYRIA token lacks sufficient on-chain liquidity, primarily traded on centralized exchanges like OKX and Bitget.
Myria has released several free games, such as Metarush, Metakart, Block Royale, Starstrike Legends, and Mooville Farm, aiming to build a gaming platform similar to Gala Games.
Fully Onchain Games
Fully Onchain Games refer to games where all game logic and states are executed and stored on the blockchain network. In the past, due to the performance bottlenecks of blockchain networks and the lack of infrastructure, most GameFi games only put game assets on the chain. However, in 2023, there was significant progress in fully onchain games, attracting developers to participate in their development. The reasons for this progress include:
- Attention and support from investment institutions such as a16z and Jump Crypto, promoting the development of fully onchain games as a sub-track.
- Gradual popularity of AA wallets, allowing users to sign transactions after completing a round/multiple steps, improving the user experience in participating in fully onchain games.
- Development of game engines reducing the barrier for developers. Currently, Starknet’s Dojo game engine and the MUD game engine with OP Stack integration are popular among developers.
In 2023, fully onchain games became a focal point in the GameFi track. Many of these games have entered the testnet phase and have a certain level of playability. Here are some of the currently notable fully onchain games in the market:
1. Realms World
Realms World is the game ecosystem of the Loot NFT project, featuring games like Loot Survivor and Realms: Eternum. These games are based on Starknet’s Dojo. Loot Survivor is a survival adventure game with a unique Play2Die mechanism, requiring players to fight/run from monsters, upgrade character attributes, collect equipment, and compete for higher rankings.
Realms: Eternum is an MMO strategy game where players build and develop their kingdoms while defending against attacks from other players. Each kingdom in Eternum is an NFT, and players can trade them on the marketplace.
2. Sky Strife
Sky Strife is a fully onchain game built on the MUD game engine. It features fast-paced real-time strategy (RTS) battles and is developed by the Lattice team, the creators of the MUD engine. Sky Strife’s gameplay is similar to other real-time strategy games, with four players starting in their respective main bases on the map. Players aim to capture more resources to produce soldiers, defend their bases, and attack other players’ bases. Players need to allocate resources between producing soldiers, controlling map resources, defending bases, and attacking other players’ bases to formulate a suitable strategy.
Sky Strife is currently in the testnet phase, and its token is ORB, which has not been issued yet. The development team plans to iterate Sky Strife to transform it into a self-governing world with resources, logic, and a freely constructible economy, allowing the community to develop new onchain games, game rules, and game modules in the Sky Strife world.
3. Cellula
Cellula is a fully onchain artificial life simulation game. In Cellula, players create artificial “life” by combining and assembling the smallest units of life — cells. Players can observe the growth, reproduction, and evolution of these “life” forms in a virtual space. Cellula uses Ethereum block height as “time,” and each “life” evolves with the growth of the Ethereum network.
Web2.5 Games
In addition to fully onchain games, most other GameFi projects can be classified as Web2.5 games, where game assets are on the chain, and most game logic is processed by centralized servers. From 2023 to 2024, many such games have started open beta testing or officially launched, including multiplayer online role-playing game Bigtime, first-person shooter games Matr1x FIRE and SHRAPNEL, and strategy game GasHero.
These games have learned from the failures of blockchain games in 2021, focusing on Play & Earn, optimizing the play aspect from game graphics, gameplay, and user experience. The tokenomic design has also been optimized to attract users with free or low thresholds.
GameFi Security Challenges
GameFi not only provides token incentives to players but also gives players ownership of in-game assets, creating game projects with characteristics of encrypted economies and decentralization. However, the development of GameFi faces many security vulnerabilities and hacker attacks, posing serious threats to user asset security and negatively impacting the healthy development of the entire GameFi ecosystem.
Beosin is highly concerned about the security of the GameFi ecosystem. After the launch of popular chain games like Fren Pet and xPet, Beosin conducted security analyses of their tokens and game contracts to avoid potential vulnerabilities and attacks. So, what are the common security issues in GameFi, and how can the security of GameFi be improved? In response, Beosin has outlined the following security risks and recommendations.
Onchain Security Challenges
Token Contract Vulnerabilities
GameFi projects typically use one or more tokens as in-game currencies for purchasing items and rewarding players. Token contracts manage token minting, trading, and burning. Vulnerabilities in token contracts can have catastrophic effects on the entire game’s economic system.
Token contracts often have centralization risks, where the owner/administrator of the token contract has excessive permissions. The contract owner/administrator can modify token transaction fees, prevent users from buying or selling, add address blacklists, perform unlimited minting, or even reset the token balances of any address.
Users can check the risks of token contract addresses through the EagleEye platform. EagleEye detects and alerts users to token contract risks, helping them avoid potential losses.
Business Contract Vulnerabilities
GameFi business contracts are responsible for implementing the main gameplay and reward distribution. Most developers make their business contracts upgradeable. For the security of upgradeable contracts, Beosin recommends:
(1) Initialize contracts and dependencies: Developers may forget to initialize contracts and dependencies during deployment, leading to severe vulnerabilities.
(2) Be aware of storage conflicts: Modifying storage during contract upgrades may result in storage conflicts between different versions of the contract, causing data errors and financial losses.
(3) Pay attention to permission control: Developers need to restrict upgrade permissions for contracts to prevent attackers from gaining control of contract upgrades. Hackers may gain upgrade control through private key theft or governance attacks.
NFT Vulnerabilities
NFTs serve as the main player-held game assets in GameFi projects, and their quantity and rarity ensure the value of in-game assets. However, improper implementation of NFTs can introduce security risks.
Implementing randomness is a critical consideration for projects. GameFi projects often introduce activities such as blind boxes and random rewards in-game tasks. In the process of minting NFTs in such events, projects might use block timestamps as the source of information for generating NFTs of different rarities. However, block timestamps can be predicted or controlled, leading to unfair game competition. Beosin recommends projects to use Chainlink VRF (Verifiable Random Function) to reduce such risks.
In addition, projects need to securely store metadata, images, and IPFS hash values of their NFTs to prevent early leakage of NFT rarity data. Otherwise, hackers can locate metadata of relevant NFTs, lock the rarest NFTs during the minting process.
When players trade NFTs, projects need to be aware of the difference between ERC-1155 and ERC-721 tokens. ERC-1155 is an improvement over ERC-721, supporting the creation of both fungible tokens and NFTs in a single contract. ERC-721 tokens require multiple transfers, while ERC-1155 tokens can be transferred in batches. Projects need to differentiate when implementing related token transfers. Previously, the TreasureDAO on the Arbitrum chain was attacked due to this issue.
Cross-Chain Bridge Vulnerabilities
Multi-chain GameFi projects and GameFi application chains use cross-chain bridges to map in-game assets across different blockchain networks. Cross-chain bridges are crucial for improving the liquidity and attracting users to the game/ecosystem. However, GameFi cross-chain bridges have two main risks:
Firstly, due to contract vulnerabilities, in-game assets mapped between different networks may be inconsistent. Hackers might exploit contract vulnerabilities to inflate in-game assets on one network for profit.
Secondly, there is a risk of cross-chain bridge validator nodes. The Ronin Network previously suffered a loss of $620 million due to a node’s private key leak. Beosin recommends GameFi application chains to increase the number of validator nodes for their cross-chain bridges, securely store private keys, and avoid malicious control of validator nodes leading to losses.
Offchain Security Challenges
Apart from fully onchain games, the backend logic and interfaces of most GameFi projects still rely on offchain centralized servers. These servers store crucial information, including some game logic, game data, and player account information. These servers are susceptible to malicious attacks.
Tampering with NFT Data
As emphasized earlier, NFT metadata is crucial. However, many GameFi projects store their NFT metadata on centralized servers rather than decentralized infrastructure like Arweave. This increases the risk of attackers or internal project members tampering with metadata, infringing on player ownership and interests in their in-game assets.
Phishing Attacks
Attackers can obtain sensitive information from project teams through phishing attacks, such as wallet private keys managing the game treasury and GitHub accounts. Hackers can then expand the attack scale through supply chain attacks or phishing attacks, causing more significant losses.
Conclusion
After three years of exploration, GameFi has seen the emergence of more proprietary gaming blockchains and higher-quality gaming projects. Fully onchain games represent a more Web3-native narrative, but they are still in the very early stages, and the entire track requires time for iteration. When participating in the construction of the GameFi track, developers need to pay attention to avoiding the security risks mentioned above to build more reliable GameFi projects.