Background

When the game first came out, there was something wrong with the experience, that is, during the operation, it was possible to match orbs many times in a turn. With the keen sense of the programmer, I knew there must be a bug here, and his backend did not check the input of user. So I started to analyze the protocol and found that there are more and more problems in this game.

Problems

No authentication system

The authentication needs to let the backend know who you are, to ensure that this person must be you and not someone else. In Web3, authentication generally means that the backend constructs a message containing a nonce, returns it to the frontend for the user to sign, and the user send the signature to backend. After the result is confirmed, backend will generate a token with expiration, so that the backend knows who the person is. Normal authentication should look like this:

sequenceDiagram actor User participant Server User ->> Server: I need login Server ->> User: Give u a message with a randomly nonce User ->> Server: I sign this message with my private key, this is my signature Server ->> User: I verify your signature, if it's ok, I will give you a token User ->> Server: I use this token to do something. With this token, I needn't to sign message again.

In this game, there is also an authentication system, but his authentication is as follows:

sequenceDiagram actor User participant Server User ->> Server: I need login, generate a nonce a sign it with my private key Server ->> User: I verify your signature, if it's ok User ->> Server: I use my wallet address as my token.

Obviously, this authentication is completely completed by the front end, and the backend simply verifies the signature, and then returns the wallet address as a token to the frontend. Such an authentication system has a big problem, the frontend can forge tokens. There is a saying in development: "Never trust user input". This is true for Web2, and even more true for Web3, because it will be more free and open.

Unicorn attributes can be modified

In the game, the metadata of Unicorn will be obtained, which contains the attributes of the Unicorn, such as attack, defense, speed and so on. Normally, these attributes represent Unicorn. The strength of the character should not be able to be modified, but in this game, these attributes are actually input through the frontend. In this case, users can modify their attributes at will, so that they can cheat by modifying attributes.

Modify Attributes

The number of matches can be modified

In the game, the number of match orbs is not calculated by the backend, but by the frontend itself. In this case, the user can modify the number of matches arbitrarily, so that he can cheat by modifying the number of matches.

Modify number of eliminations

Summarize

There are still two discovered issues that have not been announced, and I need to keep them for my own use. When I found the problem and verified it, I notified the team as soon as possible, but the team thought it was a prototype, and the gameplay was more important. In my opinion, in the Web3 world, security comes first, if your product is not secure, then your product is a piece of rubbish. This game seems to be developed by a frontend engineer who is not familiar with backend development. He has no backend experience, so it causes a lot of problems. For the team I think there are these experiences:

Safety comes first as money is involved.
Don't look for 2nd team to develop a project, because they only realize the appearance and don't care about the long-term development of the product.
Organize a community or team, and release a beta version for the community to test without money rewards. If some bugs of product experience are found, they can get the rewards.