"Crypto gaming" is the trend of videogames usingcryptocurrency as a major component of gameplay and/or in-gameeconomies. This can range from (i) allowing users to purchasein-game items with Bitcoin, Ether or other cryptocurrencies (inaddition to fiat currencies), (ii) allowing users to earn agame-specific cryptocurrency through gameplay, and (iii) all theway up to allowing users to withdraw the cryptocurrency they earnedin-game for use elsewhere. While "play to earn" gameplayand mechanics have been around for a long time, the emergence ofcrypto-based mechanics is relatively new for the gamingindustry.
Despite its novelty, the popularity of crypto gaming has beenrising exponentially, but that rapid growth is not without risk.Some specific risks in crypto-gaming were recently brought to lightwhen hackers stole approximately $600 million from a"bridge" connected to the popular Axie Infinitygame.1 The attack occurred on March 23, 2022, butwas not discovered until one user attempted to withdraw their fundssix days later. This attack followed a similar hack on the Wormholebridge in February 2022 where hackers stole more than $300million.2
This attack raises questions about the legal and technologicalrisks involved in crypto-gaming, and in particular the use of"bridges" as part of a crypto-gaming strategy.
Functionality of Crypto Bridges
The rise in popularity of crypto games is exposing theblockchain's structural limitations. Most decentralized apps("dapps") are built on the overburdened and unscalableEthereum network. To increase the functionality and allow forexpansion, secondary blockchains branch off from the parentblockchain (called a "sidechain"). The sidechain and theparent blockchain require an intermediary, or "bridge",for them to interact.
In a video game, a bridge facilitates the exchange ofcryptocurrencies between the tokens used for the in-game economyand tokens brought in from the "real world economy". Inthis sense, the bridge acts like a token dispenser used in anold-fashioned real world video arcade. Consumers deposit theirreal-world money into the dispenser, and that money is convertedinto tokens that can only be used in the games in that arcade. Froma more technical perspective, users deposit accepted cryptocurrencyin the bridge and receive in-game native crypto tokens in return,which can be used on the sidechain. This occurs through a two-stageprocess:
When users want to liquidate their assets, the wrappers of thewrapped coins are "burned", and the original coins areunlocked from the bridge and returned to the users. Thisfunctionality prevents users from fraudulently using thecryptocurrency on the parent and sidechains concurrently.
Various first-party and third-party bridges exist. In the caseof Axie Infinity, the game's developers created theEthereum-linked sidechain called Ronin, to allow the scaling of thegame beyond Ethereum.
The Technical Risks of Crypto Bridges
While bridges increase the scalability and functionality ofdapps and crypto games, the trade-off is that security can becompromised if the right safeguards are not put in place. Mostdapps for Ethereum are built using a programming language specificfor smart contracts, called Solidity. This is a complex programminglanguage that provides developers with a single attempt to developcode that is correct. With little to no room for error, mistakesinevitably occur, causing exploitable security vulnerabilities inthe sidechain.
The rapid popularity and expansion of crypto games furtherstrains the crypto gaming ecosystem, by pressuring developers tocreate technically complex games in a short timeframe, while usingcomplex programming language with which they may not be asfamiliar.. This dynamic leads to potential legal and security risksthat would not exist for traditional in-game economies.
The Axie Infinity hack shows how these pressures can cometogether and expose the game to successful hacks. AxieInfinity's user base increased rapidly, where the developer mayhave attempted to accommodate that rapid game growth withoutensuring strong security procedures at the same time. Howeverarising, the game was left open to vulnerabilities in the Roninbridge. Hackers then targeted these vulnerabilities and drained173,600 Ether and 25.5 million USDC coins that were locked in thebridge. As such, once the underlying coins locked in the bridgewere stolen, and the corresponding wrapped coins becameworthless.
The Legal Risks of Crypto Bridges - A Bridge Too Far?
The Ronin and Wormhole bridge attacks point to a broaderproblem: lack of regulation and overreliance on blockchaininfrastructure. While the Ethereum blockchain is considered highlysecure, rapidly-developed sidechains do not necessarily sharestrong security. Indeed, links to the Ethereum blockchain may givedevelopers a false sense of security that is not borne out by thetechnological realities of how those connections, links, or bridgesare built or secured. A blockchain is only a strong as its weakestlink, and developers and publishers should ensure that bridges donot become the weak link the crypto-gaming ecosystem.
Crypto gaming companies should strive to maintain and requirehigh security both in the game and in any bridges which link to thegame, and not compromise security standards during rapid scaling orin an attempt to achieve first-mover status in crypto-gaming. Therisks of failing to maintain quality security are not merely theembarrassment of a hack, or online fury from players, oroperational or internal gameplay issues resulting from the hack,but actual financial risk to the developer, the publisher andultimately to players.Players will stop playing andinvesting their time in crypto games if their in-game crypto isexposed to elevated risk of theft or devaluation.
The lack of regulation also leaves little legal recourse bydevelopers and publishers once hacks occur. While crypto gamingcompanies have compensated players for their losses in the past,increasing costs of losses will strain their ability to do so andraises important questions regarding liability for video gamepublishers and developers. More than $20.5 billion is currentlylocked in Ethereum bridges,4 and the potentialliability of developers and publishers may be significant. Thesekinds of liabilities will often exceed available insurancecoverage, even if insurers are willing to issue policies coveringsuch risks in the first place at affordable rates (an entirelydifferent subject). Failing fulsome voluntary reimbursement, classactions are a very real risk, as are potential regulatoryinvestigations based on allegations that tokens or NFTs are"securities" under any applicable legislation. Finally,crypto transactions are intended to be anonymous and irreversible,so once a hack has occurred it is extremely difficult to reverse orretrieve the funds unless, very unusually, the interest of nationallaw enforcement agencies are piqued.
Concluding Thoughts - When Should You Burn Your Bridges?
The Ronin and Wormhole hacks should serve as a warning sign ofnew and different risks for video game publishers and developersinvolved in crypto-gaming. These attacks highlight the difficultyof developing blockchain dapps with robust security or relying onbridges built by third parties without rigorous due diligence.While gaming companies seek to join the veritable gold rush of theindustry, a focus should remain on striking a balance betweenscalability and security for the game and for any bridges.
Fasken is well-positioned to assist with many of thoseconsiderations.Our national Video Game group brings deeppractical experience with the gaming industry from both a developerand publisher perspective.Members of the Video Game Groupalso have expertise advising clients on crypto, NFTs, fintech andsecurities matters, infosec, insure-tech matters related to theissues raised by this article.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.