“Crypto gaming” is the trend of videogames using cryptocurrency as a major component of gameplay and/or in-game economies. This can range from (i) allowing users to purchase in-game items with Bitcoin, Ether or other cryptocurrencies (in addition to fiat currencies), (ii) allowing users to earn a game-specific cryptocurrency through gameplay, and (iii) all the way up to allowing users to withdraw the cryptocurrency they earned in-game for use elsewhere. While “play to earn” gameplay and mechanics have been around for a long time, the emergence of crypto-based mechanics is relatively new for the gaming industry.
Despite its novelty, the popularity of crypto gaming has been rising exponentially, but that rapid growth is not without risk. Some specific risks in crypto-gaming were recently brought to light when hackers stole approximately $600 million from a “bridge” connected to the popular Axie Infinity game. The attack occurred on March 23, 2022, but was not discovered until one user attempted to withdraw their funds six days later. This attack followed a similar hack on the Wormhole bridge in February 2022 where hackers stole more than $300 million.
This attack raises questions about the legal and technological risks involved in crypto-gaming, and in particular the use of “bridges” as part of a crypto-gaming strategy.
Functionality of Crypto Bridges
The rise in popularity of crypto games is exposing the blockchain’s structural limitations. Most decentralized apps (“dapps”) are built on the overburdened and unscalable Ethereum network. To increase the functionality and allow for expansion, secondary blockchains branch off from the parent blockchain (called a “sidechain”). The sidechain and the parent blockchain require an intermediary, or “bridge”, for them to interact.
In a video game, a bridge facilitates the exchange of cryptocurrencies between the tokens used for the in-game economy and tokens brought in from the “real world economy”. In this sense, the bridge acts like a token dispenser used in an old-fashioned real world video arcade. Consumers deposit their real-world money into the dispenser, and that money is converted into tokens that can only be used in the games in that arcade. From a more technical perspective, users deposit accepted cryptocurrency in the bridge and receive in-game native crypto tokens in return, which can be used on the sidechain. This occurs through a two-stage process:
- First, cryptocurrency is deposited in the bridge and locked until redeemed.
- Second, smart contracts create “wrapped coins”, which are tokens that are pegged on a 1:1 basis to the value of certain other currencies, functioning similarly to so-called stablecoins. Stablecoins are cryptocurrencies whose price is backed by a reserve asset, such as fiat currencies or other cryptocurrencies. For example, the USDC stablecoin is pegged to $1.00 USD. In the case of a bridge, one token of wrapped Ether is pegged to one Ether. These wrapped coins derive their underlying value from the current price of Ether, and they can then be used by players in the in-game economies. Generally this will be a single game, but it is possible to build economies that span multiple games.
When users want to liquidate their assets, the wrappers of the wrapped coins are “burned”, and the original coins are unlocked from the bridge and returned to the users. This functionality prevents users from fraudulently using the cryptocurrency on the parent and sidechains concurrently.
Various first-party and third-party bridges exist. In the case of Axie Infinity, the game’s developers created the Ethereum-linked sidechain called Ronin, to allow the scaling of the game beyond Ethereum.
The Technical Risks of Crypto Bridges
While bridges increase the scalability and functionality of dapps and crypto games, the trade-off is that security can be compromised if the right safeguards are not put in place. Most dapps for Ethereum are built using a programming language specific for smart contracts, called Solidity. This is a complex programming language that provides developers with a single attempt to develop code that is correct. With little to no room for error, mistakes inevitably occur, causing exploitable security vulnerabilities in the sidechain.
The rapid popularity and expansion of crypto games further strains the crypto gaming ecosystem, by pressuring developers to create technically complex games in a short timeframe, while using complex programming language with which they may not be as familiar. This dynamic leads to potential legal and security risks that would not exist for traditional in-game economies.
The Axie Infinity hack shows how these pressures can come together and expose the game to successful hacks. Axie Infinity’s user base increased rapidly, where the developer may have attempted to accommodate that rapid game growth without ensuring strong security procedures at the same time. However arising, the game was left open to vulnerabilities in the Ronin bridge. Hackers then targeted these vulnerabilities and drained 173,600 Ether and 25.5 million USDC coins that were locked in the bridge. As such, once the underlying coins locked in the bridge were stolen, and the corresponding wrapped coins became worthless.
The Legal Risks of Crypto Bridges - A Bridge Too Far?
The Ronin and Wormhole bridge attacks point to a broader problem: lack of regulation and overreliance on blockchain infrastructure. While the Ethereum blockchain is considered highly secure, rapidly-developed sidechains do not necessarily share strong security. Indeed, links to the Ethereum blockchain may give developers a false sense of security that is not borne out by the technological realities of how those connections, links, or bridges are built or secured. A blockchain is only a strong as its weakest link, and developers and publishers should ensure that bridges do not become the weak link the crypto-gaming ecosystem.
Crypto gaming companies should strive to maintain and require high security both in the game and in any bridges which link to the game, and not compromise security standards during rapid scaling or in an attempt to achieve first-mover status in crypto-gaming. The risks of failing to maintain quality security are not merely the embarrassment of a hack, or online fury from players, or operational or internal gameplay issues resulting from the hack, but actual financial risk to the developer, the publisher and ultimately to players. Players will stop playing and investing their time in crypto games if their in-game crypto is exposed to elevated risk of theft or devaluation.
The lack of regulation also leaves little legal recourse by developers and publishers once hacks occur. While crypto gaming companies have compensated players for their losses in the past, increasing costs of losses will strain their ability to do so and raises important questions regarding liability for video game publishers and developers. More than $20.5 billion is currently locked in Ethereum bridges, and the potential liability of developers and publishers may be significant. These kinds of liabilities will often exceed available insurance coverage, even if insurers are willing to issue policies covering such risks in the first place at affordable rates (an entirely different subject). Failing fulsome voluntary reimbursement, class actions are a very real risk, as are potential regulatory investigations based on allegations that tokens or NFTs are “securities” under any applicable legislation. Finally, crypto transactions are intended to be anonymous and irreversible, so once a hack has occurred it is extremely difficult to reverse or retrieve the funds unless, very unusually, the interest of national law enforcement agencies are piqued.
Concluding Thoughts – When Should You Burn Your Bridges?
The Ronin and Wormhole hacks should serve as a warning sign of new and different risks for video game publishers and developers involved in crypto-gaming. These attacks highlight the difficulty of developing blockchain dapps with robust security or relying on bridges built by third parties without rigorous due diligence. While gaming companies seek to join the veritable gold rush of the industry, a focus should remain on striking a balance between scalability and security for the game and for any bridges.
Fasken is well-positioned to assist with many of those considerations. Our national Video Game group brings deep practical experience with the gaming industry from both a developer and publisher perspective. Members of the Video Game Group also have expertise advising clients on crypto, NFTs, fintech and securities matters, infosec, insure-tech matters related to the issues raised by this article.If you have any questions or want to learn more about our services, please feel free to reach out to any of the authors or subscribe to our videogame mailing lists to receive future updates.