KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
With the global gaming market’s rise over the past 10 years, the industry has created billions in value and inspired various new avenues of innovation. According to Mordor Intelligence – market intelligence and advisory firm – the gaming market forecast is to grow up to $339.95 billion by 2027, having reached $198.4 billion in 2021. In 2021 free-to-play (F2P) mobile games were expected to pass an estimated $75.6 billion in that year alone. This is concerning the traditional gaming industry that has seen the rise of global e-sport and growth in their respective fan bases and even influencing pop culture.
Games have been with us since the 70s and have been evolving ever since. Blockchain games started on the fringes of the gaming industry, with the play-to-earn model becoming a possibility only because of blockchain and cryptocurrency technology. In February 2014, one of the first blockchain games was released riding on the back of a few major Bitcoin wins – in terms of market cap and price movement. The project (still active today) was titled Huntercoin and was a result of a live experiment to see how a blockchain could handle a virtual game world. In this top-down 8-bit game, players can collect virtual coins inside the digital universe and battle it out in player-versus-player (PVP) mode – all of this is hosted on a blockchain. This proved that it was possible and instigated a series of games that would bring more spice to the scene. Some of the first early adopters of cryptocurrencies were gamers as cryptocurrencies entered the public sphere as a gaming fad.
However, due to a few pivotal moments in 2013 – the 83% price crash at the beginning of the year amongst others – the general opinion of cryptocurrency was heavily affected. This also caused quite the exodus of the market. One of the major consequences was that the crypto industry, which was heavily dependent on voluntary work, saw many people not wanting to go close to blockchain games and the P2E model due to possible financial consequences, as well as the worsening opinion. At that stage, these were huge hits for the crypto industry.
Commenting on this moment in history, Andrew Colosimo, co-founder of Xaya (the creators of Huntercoin) states, “At that time, fundraisers weren’t as big as they are today. For us, it was completely voluntary, and all the work that’s been done on Namecoin and Huntercoin was at our cost. Same is with Bitcoin.”
By the end of 2013, the crypto industry began to develop again but GamFi’s future was turbulently influenced by the price of bitcoin and the general opinion about the leading cryptocurrencies. At the same time, more investment started to come into the decentralized landscape. At that stage, even Richard Branson stated that the passengers of the Virgin Galactic could pay with bitcoin and Forbes named 2013 as the ‘Year of the Bitcoin’. As the technology progressed and more blockchain games were developed it started opening up the doors to scalable P2E games, allowing new companies to be built.
Fast forward to 2017, development in the crypto industry had continued and Bitcoin had been joined by various other cryptocurrencies and blockchain projects. Among them, some of the first P2E games that used non-fungible tokens (NFTs) to allow players to buy, sell, and trade digital assets in-game. The first-ever P2E game that used NFTs was called Cryptobots and had a collection of 10,000 unique crpytobots that doubled up as in-game characters in its metaverse – yes the metaverse was already a thing back in 2017.
Shortly after came Spells of Genesis, the first mobile blockchain game, where players explored the virtual world while looking for ‘orbs’ to trade, merge, and sell.
Even Ubisoft dipped its toes into the blockchain game industry back then with the creation of HashCraft. Similar to Minecraft, the game was a sandbox but mixed with a battle royale-like gameplay. Players dropped onto an island and started crafting. The island was then shared so everyone could play on the map and everyone can participate in challenges for crypto.
Crypto Kitties – was one of the most successful blockchain games available as well as one of the most popular titles. Even back in 2018, the project’s gamefi investment round raised $15 million to “drive the consumer adoption of blockchain technology”. Back then blockchain games’ funding wasn’t even close to what some of the top ones reach today.
As the amount of money that flowed into the blockchain industry started to increase, so did the amount of malicious activity. Many new and uneducated users were carried away by the dark side of crypto. Projects would have an initial coin offering (ICO) where interested participants could invest BTC or USD. This type of fundraising started gaining a lot of attention around 2016 and was a method to raise capital to get a project off the ground. The promise of a win-win attracted many investors. If the token’s price rises in value, the investor has both – helped to support the development of the project and gained profit from the increased price.
However, due to the anonymous and decentralized nature of crypto, individuals with tech-savvy could relatively easily create the bare bones for a crypto project that would look legitimate. ICO scams would classically happen after the coin is launched and the value of a token rises. When reaching a specified point scammers would sell off all their tokens, taking profits and leaving investors and the project to fall. Between January 2016 and August 2019 ICOs raised over $31 billion according to a report from the Review of Financial Studies. However, during the same time, many investors suffered from scams and fraud in the booming ICO space and lost nearly $100 million between 2016 and 2018.
This whole scheme was then called a “rug pull” and found its way to the decentralized finance (DeFi), gamefi, and NFT space as well, with pretty much the same story. When enough funds are raised for the project to ‘start’ – the creator(s) would run away with the funds, leaving investors empty-handed. In 2021 alone $2.8 billion was lost to rug pulls according to Chainalysis, a leading blockchain analytics firm. In August last year, Luna Yield, a project on the Solana blockchain rug pulled their users for $10 million after draining liquidity pools and shutting down all channels of communication.
In September 2021, the “Evolved Apes” gamefi project was advertised – a spinoff of the extremely popular Bored Ape Yacht Club – where players would be able to use their NFT characters in-game to battle it out for Ethereum. However, shortly after the launch, funds gathered for project-related expenses reached 798 ETH or (US$2.7 million at the time). They were “rugged” as well as all social channels were deleted. Even today rug pulls happen regularly to unsuspecting investors that don’t know where and how to look for the sign of a scam.
The most dangerous attackers in the industry however are hackers. These individuals examine the project landscape looking for vulnerabilities in code in order to exploit the funds held within vaults, smart contracts, bridges or anywhere the money flows. In 2021 DeFi protocols were hit the most, according to the Chainalysis 2022 Crime report, with over $2 billion stolen by hackers. One of the main reasons DeFi – thus also gamefi – are so often targeted is because of “ insecured gaps in the smart contract code governing those protocols, which hackers exploit to steal funds, similarly to the gaps that enable rug pulls.”, according to the report.
Rugpulls can also happen because of errors or vulnerabilities in a project’s code – but this is essentially still a hack, allowing a malicious actor to steal all the funds from the developers and investors. An example of this would be Beanstalk – a DeFi protocol – that recently suffered one of the largest multi-million dollar hacks on a record. The hackers used a flash loan attack to steal $182 million from its liquidity pool which consequently dropped the price of the native token by more than 80%.
As Bitcoin’s value continued to drop and more hackers and scammers joined the industry it was not looking good for crypto and the P2E model along with it.
When looking back at these events it almost seems like growing pain of the industry, but during those times it was ‘make or break’. Because of necessity more cyber security projects and companies started helping blockchain projects by providing security as a service. These services can range from code audits to setting up bounty programs and pen testing, all to ensure the concurrent safety of a project and its users. Security has since become one of the major crucial characteristics of this industry as more people enter.
Companies like Hacken, Certik, and PeckShield – just to name a few – have joined the industry and secured hundreds of projects. Trusted auditing companies usually hand out a certificate after a project has been audited to prove the project has been checked for vulnerabilities and is (generally) safer to use than those that don’t have one. For example, SecureChain – a cyber security team from Icetea Labs – are auditing all the IGO projects on GameFi.org.
As in case with Beanstalk mentioned above, the smart contracts were audited, but only before the introduction of the flash loan vulnerability. Recurring audits are essential to ensure updates do not leave the project with new vulnerabilities. Due to the increasing complexity of project development new additions might have zero-day threats or a backdoor that a developer may have overlooked or didn’t even know existed.
Audits of projects also made the industry more resistant to rug pulls through the certificates. New users that enter and are looking to invest should scrutinize projects before taking part in it. Projects that hold an audit certificate from a legitimate provider stand out in the crowd as projects a user can trust. This also helps reduce the number of people that can get caught by scams.
Besides project safety assurance, on the users’ side – they also need to be educated so they can effectively participate and reduce their own risk where possible. As the industry continues to grow there are many more marketplaces, data aggregators, exchanges, and analytics firms than there were in 2013. These have all become whistleblowers and hubs of education for users to learn about the possible risks that can be found in the ever-expanding crypto industry.
Fast forward to today you will see trust in the crypto industry higher than ever with even major institutions and banks now dipping their toes there. When looking at the P2E industry the ecosystems are bustling with thousands of games and NFT projects. Adoption has dramatically increased and total crypto transaction volume hit $15 trillion by the end of 2021. With a huge audience of retail investors as well as major brands like Microsoft, Nike, Facebook (now Meta), Nvidea, Unity Software, and many others now participating in the metaverse and digital asset space, it is set to see major growth.
Major investors like Gala Games together with C2 Ventures launched their venture fund for GameFi worth $100 million. Solana Ventures and others also started a fund containing $150 million. In 2021 alone, the blockchain games and infrastructure industry received over $4 billion in venture capital funding as a confirmation of the growth of the blockchain gaming industry.
According to the findings of a joint report by DappRadar and the Blockchain Game Alliance (BGA), blockchain gaming has boomed by a massive 2,000% in a year. So far this year the crypto gaming industry has had $2.5 billion already invested into it, if it continues at this rate it could grow to $10 billion by the end of 2022. The report added that blockchain games attracted 1.22 million unique active wallets (UAW) in March, accounting for 52% of the industry’s activity. With all the different technologies working together to create a self-sustaining ecosystem the blockchain gaming industry is shaping up to become a major revenue generator.
At its core, P2E game is a way for users to play and get rewarded for their time. Some of the creators in the industry even see P2E games as future micro-economies that are powered by players and entrepreneurs to generate wealth for those who participate. Regardless of the ethos, it’s impressive to see blockchain games with a few hundred players in the 2013 to evolve to top-grossing games like Axie Infinity that have hundreds of thousands of dollars worth of trading volume every day. The game became so well adopted that some people in countries like the Philippines play Axie Infinity as a job or side hustle because it has the potential to earn more than their minimum wage.
The gamefi industry has seen exceptional growth with concepts like the metaverse, gamefi, and socialfi blending into one to create an experience that probably does not have a term yet. Projects like GEMS have already started to capitalize on the transition, raising 5 million USDT to build an Esport 3.0 aggregator platform and to be like the Netflix of blockchain games. With blockchain games only now somewhat coming out of their infancy, the future gamefi is sure to be complex and exciting.