More Major P2E Hacks are a Matter of Time: Cybersecurity Research

More Major P2E Hacks are a Matter of Time: Cybersecurity Research

Disclaimer: This is a guest article, does not necessarily endorse the views of the author.

The play-to-earn (P2E) market has become one of the biggest niches of Web 3.0. The market capitalization of play to earn projects, as of the beginning of July 2022, is $6.5B, and the daily trading volume is >$850M. With >3 billion gamers worldwide, the video games sector may become the main channel of further crypto growth.

P2E has strong links to virtual assets, so it shares many risks attributed to crypto, including cybersecurity threats. The more money the industry attracts, the more desirable target it becomes for bad actors.

In this environment, security becomes one of the most pressing issues of the niche. So what are P2E’s current trends in terms of security? Can we expect to reduce the number of hacks or set common security standards for the industry?

Biggest P2E hack in the spotlight 

In March 2022, the global crypto community was shocked by the $625M hack of one of the most famous P2E projects, Axie Infinity, which became the biggest hack in the niche’s history so far. Before the attack, the platform used to attract >2M users daily.

Axie Infinity is built on Ronin, its native blockchain. Hackers managed to break into Axie Infinity’s system by compromising Ronin — namely, the keys used to validate transactions on the network. By getting access to 5 validator nodes (4 belonging directly to Axie Infinity and one third-party node run by Axie DAO, they managed to forge fake withdrawals. The Sky Mavis team linked the hack to technical vulnerabilities and social engineering.

Security in Play-to-earn: painting the picture 

Let’s try to evaluate the situation in P2E cybersecurity using data from, a crypto cybersecurity data aggregator. has analyzed hundreds of indicators for P2E and GameFi projects to develop the most comprehensive security ranking. 

The play-to-earn crypto games industry currently includes >170 projects and 44 ventures with a market capitalization of >$5M. The top-5 biggest ones are The Sandbox, Decentraland, Axie Infinity, Stepn, and Gala.

The current analysis covered 31 projects and found the results unsatisfactory. Although only Axie Infinity has been involved in security incidents, none of these projects got AAA, AA, or even A security rating. (The company applied classic rating methodology, where AAA is the highest rating, D — the lowest. The ratings below DDD mean an increased risk of a future hack or other security incidents.).

Security RatingNumber of projectsProject names
BBB1The Sandbox
B2Immutable X, DeFi Kingdoms
CCC1Radio Caca
C2Decentraland, My DeFi Pet
DDD7Axie Infinity, Mobox, Alien Worlds, UFO Gaming, Tower, Revv, Rainicorn
D16Gala, Wax, Smooth Love Potion, Illuvium, Merit Circle, DEAPCOIN, Yield Guild Games, Phantasma, Decentral Games, Ovr, Battle World, Aurory, Decentral Games Governance, Dotmoovs, Chain Games, Vidt Datalink

Key findings

  • Recent high-profile hacks show that code vulnerabilities and users abandoning basic security recommendations are the most common causes of cyber attacks; 
  • No P2E projects have insurance, which means that if a hack takes place, users will not get their money back unless a project finds an alternative source of funding;
  • Only 2 projects have an active bug bounty program: 29 remaining P2E games rely only on their own resources in terms of permanent security;
  • Although 14 projects have undergone a token audit, only 5 titles have done a platform audit.

Based on the data provided by, we can see that GameFi projects put profits above security and do not follow even the most essential cybersecurity recommendations, leaving malicious actors numerous entry points for attacks.

Other security flaws: bridges, insiders, and lack of audits

According to Ilman Shazhaev, a tech expert and the CEO of Farcana, the next big issue is the popularity of blockchain bridges in Play-to-Earn and their vulnerabilities. However, in Axie’s case, it wasn’t only the money hackers were after: by compromising a game played by millions, the pseudonym of the hacker or group becomes viral as they gain sort of fame.

 ‘Another vulnerability point is connected to insiders when hackers bribe a team member who leaks the information they need to steal users’ money. This process is not always about sharing credentials: sometimes, it comes down to revealing bugs in the code, even in the case of high-level cybersecurity policy. 

And, of course, we must not forget the raw nature of many projects. Many Play-to-Earn game developers are seeking to push the game to the market asap: while doing so, some would try to save time and money for a quality code audit, ’ Ilman added.

Essential cybersecurity services for GameFi projects

So what are the essential security elements GameFi projects should consider having in place?

Performing smart contract audits

Automated and manual analysis of code allows for to detection of vulnerabilities of different severity levels and addresses both security issues and business logic flaws. 

The leading providers of smart contract audit services with the lowest incident rate among the audited projects are OpenZeppelin, ConsenSys, and Hacken. Among these 3 providers, Hacken has the most considerable number of publicly available audit reports (over 120). It also boasts considerable experience in GameFi, having conducted smart contract audits for Game Starter, Vidya Games, Path of Alchemist, Games of Silks, MetaCloud, and many others.

Running bug bounty programs

With a bounty program, dozens or even hundreds of ethical hackers simultaneously perform an independent analysis of the project’s security and get monetary rewards for their findings. The leading bug bounty platforms are BugCrowd, HackerOne, HackenProof, ImmuneFi, Synack, and YesWeHack.

Introducing insurance

With insurance in place, projects and their users can get a full or partial refund of their funds lost in a hack. The leading insurance providers are Nexus Mutual,, NSure.Network, and inSure.

Securing P2E assets

After the Axie Infinity hack, malicious actors realized that play-to-earn crypto games accumulate huge assets that can easily be lost to a well-planned attack. Security specialists recognize that big hacks of P2E games are almost inevitable in the future. The further growth of the popularity of P2E and GameFi crypto projects will be accompanied by the intensification of cybercrimes against these players.

In this situation, gamers should realize that they must take care of their security. Before investing a large sum of money in a particular P2E game, users should perform at least a basic security check of this project using the data provided by independent platforms such as and CoinGecko. And, of course, keep in mind that investing in P2Es remains a potentially profitable but quite risky affair.

Stay always up to date:

📰 Don’t Miss a thing: Join the News-Telegram Channel or The Discussion Group.

🐥In Your Feed: Follow us on Twitter, Facebook & Instagram.

📺 Let’s Watch: Youtube Subscribe & Chill.

🎙️Useful Channels: NFT Giveaway Channel & Early Adopter Opportunities Channel.

🕹️Gaming Guild & Scholarships: Join our Discord.

📫Saturday Mail Recap: Subscribe for the Blockchain Gaming Digest.


We use affiliate links when possible. At no cost to you, we may earn some crypto or nfts.

While we strive for the accuracy of the content, we provide it “as-is.” We take no responsibility for any actions or results. We write about games, treat them as games. We don’t give investment advices. Always do your own, extensive research.