TL;DR — The 5 Things That Will Get Your GameFi Protocol Hacked

1. Broken tokenomics — Infinite token minting, no supply caps, uncontrolled inflation (MakinaFi: $14M)
2. NFT duplication vulnerabilities — Asset state desync between game logic and NFT contracts
3. Predictable randomness — Players gaming loot drops, rare mints, and RNG-based rewards
4. Marketplace manipulation — Price oracle attacks, wash trading, fake volume pumping
5. Game logic bypass — Players exploiting mechanics to earn rewards without playing

🔐 Interactive Checklist Available

We've created an interactive version of this checklist with expandable details, code examples, and audit checkboxes. Perfect for auditors and dev teams.

→ View the EVM GameFi & Play-to-Earn Security Checklist

Introduction: Why GameFi Security Is Critical

• $47M+ lost to GameFi exploits in 2024 alone
• 73% of gaming protocols suffer security incidents within 6 months
• 890+ gaming-specific findings across 2,100+ GameFi audit issues analyzed
• 342 tokenomics flaws including inflation controls and reward mechanism exploits
• 18% of findings are Critical+ severity — higher than traditional DeFi

How to Use This Checklist

1. NFT & Asset Security
2. Tokenomics & Economy
3. Marketplace & Trading Security
4. Game Mechanics & Logic
5. Access Control & Permissions
6. Oracle & External Data Security
7. Upgrade & Migration Safety
8. Gas Optimization & Performance

• Why it matters — Context and real-world exploit examples
• Security checks — Specific items to verify
• Red flags — Warning signs that indicate vulnerabilities

1. NFT & Asset Security

Why It Matters

Security Checks

Supply Control & Minting

• Maximum NFT supply is hardcoded and enforced — No function can exceed the total supply cap, including admin mints, batch operations, and emergency functions.
• Admin mint quantities are limited and time-locked — Administrative minting should have strict quantity limits, timelock delays, and public transparency to prevent inflation attacks.
• Mint pricing mechanisms are exploit-resistant — Dynamic pricing formulas cannot be manipulated through flash loans, MEV attacks, or price oracle manipulation.
• Whitelist and presale mechanics are secure — Merkle tree implementations are correct, signatures cannot be replayed, and allocation limits are enforced per wallet.

Randomness & Trait Generation

• Uses Chainlink VRF for all randomness — Loot drops, trait generation, and any RNG-based mechanics must use verifiable random functions to prevent manipulation.
• Randomness cannot be influenced by miners — Block hash, timestamp, or difficulty-based randomness is not used for critical game mechanics.
• Reveal mechanisms are properly implemented — Two-phase reveals prevent trait manipulation, with proper commit-reveal schemes and timelock periods.

Asset State Synchronization

• Cross-contract state consistency is maintained — Game logic contracts and NFT contracts maintain perfect synchronization of asset ownership and state.
• Transfer hooks properly update game state — Every NFT transfer triggers appropriate game state updates to prevent asset duplication or orphaned references.
• Asset locking mechanisms work correctly — When assets are locked in-game (staking, battles, cooldowns), they cannot be transferred or used elsewhere.

Red Flags

• Unlimited admin minting capabilities without restrictions
• Predictable randomness using block.timestamp or blockhash
• Missing transfer hooks causing game/NFT state desynchronization
• No supply cap enforcement allowing infinite asset creation

2. Tokenomics & Economy

Why It Matters

Security Checks

Token Supply & Inflation Control

• Maximum token supply is enforced across all functions — No mint function can exceed hard caps, including rewards, admin mints, and protocol emissions.
• Inflation rates are mathematically bounded — Reward algorithms have provably finite token emission over any time period, preventing runaway inflation.
• Vesting schedules are immutable and audited — Team tokens, investor allocations, and treasury distributions follow auditable vesting with no backdoors.
• Burn mechanisms balance inflation — Token burning (fees, upgrades, crafting) creates deflationary pressure to offset emissions.

Reward Distribution Security

• Sybil attack prevention in rewards — Multiple accounts cannot abuse reward systems through coordination or automation.
• Time-based rewards are manipulation-resistant — Staking rewards, daily bonuses, and time-locked incentives cannot be exploited through timestamp manipulation.
• Reward calculation precision is maintained — No division by zero, overflow/underflow, or rounding errors in reward mathematics.
• Anti-farming measures are implemented — Sophisticated bots cannot extract value without providing genuine gameplay or platform value.

Treasury & Protocol Economics

• Protocol fee collection is secure — Fee accumulation cannot be manipulated or bypassed through re-entrancy or callback attacks.
• Treasury access is properly restricted — Multi-signature or DAO control over protocol funds with appropriate time delays and transparency.
• Economic parameters have governance controls — Critical parameters (fees, rewards, supply caps) require governance approval to modify.

Red Flags

• No maximum token supply limits
• Reward calculations using unsafe math operations
• Single address controlling treasury or mint functions
• Time-based rewards using manipulable timestamp values

3. Marketplace & Trading Security

Why It Matters

Security Checks

Price Oracle Security

• Price feeds use decentralized oracles — Chainlink, Band Protocol, or equivalent decentralized price sources for asset valuation.
• Oracle manipulation resistance — Price aggregation, time-weighted averages, and circuit breakers prevent flash loan price attacks.
• Stale price detection and handling — Automated detection of stale oracle data with graceful degradation or transaction rejection.
• Cross-reference multiple price sources — Important pricing decisions use multiple independent price feeds with outlier detection.

Trading Mechanism Security

• Signature-based orders are replay-resistant — Nonces, expiration times, and chain-specific signatures prevent order replay attacks.
• Order matching cannot be front-run — Private mempools, commit-reveal schemes, or MEV protection for fair order execution.
• Royalty distribution is manipulation-resistant — Creator royalties cannot be bypassed through contract calls or proxy transfers.
• Wash trading detection is implemented — Patterns of self-trading or coordinated volume manipulation are detected and prevented.

Marketplace Integration

• External marketplace approvals respect game locks — Third-party marketplace integrations query game state before allowing trades.
• Cross-marketplace arbitrage is controlled — Price discrepancies between venues cannot be exploited to manipulate in-game economies.
• Listing validation prevents invalid sales — Assets cannot be listed while locked, staked, or in active use within the game.

Red Flags

• Single price oracle without backup or validation
• Missing signature replay protection in order systems
• No wash trading detection or prevention
• External marketplaces bypassing game mechanic restrictions

4. Game Mechanics & Logic

Why It Matters

Security Checks

Battle & Competition Logic

• Battle outcomes are deterministically calculated — Combat results are reproducible and cannot be manipulated through external calls or re-entrancy.
• Player statistics are tamper-resistant — Health, damage, experience, and other stats cannot be modified outside intended game functions.
• Cooldown periods are strictly enforced — Players cannot bypass ability cooldowns, energy regeneration, or time-based restrictions.
• Tournament brackets are manipulation-resistant — Competition pairings and elimination logic cannot be gamed or predicted in advance.

Progression & Achievement Systems

• Experience gain is bound and validated — XP rewards have maximum limits per action/time period and cannot be farmed infinitely.
• Achievement unlocks are properly gated — Milestone rewards require legitimate progression and cannot be triggered artificially.
• Level-based restrictions are enforced — Higher-level content, items, or rewards are inaccessible to lower-level players.
• Skill trees and upgrades are immutable — Character progression cannot be reversed or exploited to gain multiple upgrade paths.

Resource Management

• Energy/stamina systems are exploit-resistant — Time-based resource regeneration cannot be manipulated through timestamp or block manipulation.
• Crafting recipes are tamper-proof — Item creation requires exact inputs and cannot be bypassed through partial payments or reentrancy.
• Inventory limits are enforced — Players cannot exceed storage limits through rapid transfers or batch operations.

Red Flags

• Game state calculations using external calls
• Missing validation of player action prerequisites
• Timestamp-dependent mechanics without manipulation protection
• Unbounded loops in game logic functions

5. Access Control & Permissions

Why It Matters

Security Checks

Role-Based Access Control

• Admin roles are properly restricted and time-locked — Critical functions require multi-signature approval and time delays for execution.
• Game master permissions are scoped and limited — Operational accounts can only perform specific game functions without treasury or critical access.
• Player action authorization is validated — Every game action verifies the caller has legitimate permissions to perform the operation.
• Role inheritance is secure and audited — Complex permission hierarchies are tested for privilege escalation vulnerabilities.

Function Access Protection

• Critical functions have proper modifiers — Administrative, financial, and game-critical functions are protected with appropriate access controls.
• Emergency functions are restricted — Pause, upgrade, and emergency withdrawal functions require proper authorization and cannot be abused.
• Batch operation security is maintained — Mass actions (airdrops, batch mints) maintain individual authorization checks.

Smart Contract Permissions

• Contract-to-contract permissions are validated — Inter-contract calls verify authorization and prevent unauthorized state changes.
• Upgrade permissions are secured — Proxy upgrade functions require appropriate governance approval with time locks.
• External integration permissions are limited — Third-party contract integrations have minimal necessary permissions with regular audits.

Red Flags

• Single owner controlling multiple critical functions
• Missing access control modifiers on sensitive functions
• No time delays on critical administrative actions
• Overly broad permissions for operational accounts

6. Oracle & External Data Security

Why It Matters

Security Checks

Data Feed Security

• Multiple oracle sources with aggregation — Critical data uses multiple independent sources with outlier detection and aggregation.
• Oracle failure handling is robust — System gracefully handles oracle downtime, stale data, or manipulation attempts.
• Data freshness validation is implemented — Timestamp checks ensure data is recent enough for use in time-sensitive operations.
• Circuit breakers for abnormal data — Automatic system pausing when oracle data exceeds expected ranges or patterns.

External API Integration

• External API calls are secured — Rate limiting, authentication, and error handling for any off-chain data dependencies.
• Leaderboard and ranking data is tamper-resistant — External rankings cannot be manipulated to gain unfair in-game advantages.
• Cross-game integrations are validated — Data from external games or platforms is properly verified before use.

Randomness and Fair Play

• Verifiable randomness for all RNG — Chainlink VRF or equivalent verifiable random functions for all chance-based mechanics.
• Anti-manipulation measures for random events — Random outcomes cannot be influenced by player actions, timing, or external factors.
• Commit-reveal schemes are properly implemented — Two-phase randomness with proper commit periods and reveal validation.

Red Flags

• Single oracle source without backup validation
• Using block.timestamp or blockhash for randomness
• No circuit breakers for abnormal data conditions
• External API dependencies without proper error handling

7. Upgrade & Migration Safety

Why It Matters

Security Checks

Upgrade Authorization & Process

• Upgrade functions require multi-signature approval — Critical contract upgrades need multiple authorized signatures with time delays.
• Player data migration is tested and validated — Upgrade processes preserve all player progress, assets, and economic positions.
• Rollback procedures are documented and tested — Emergency rollback capabilities in case upgrade issues affect player assets.
• Community notification and opt-out periods — Players have advance notice and ability to withdraw assets before major upgrades.

Storage Layout & State Preservation

• Storage collisions are prevented — Upgrades maintain compatible storage layouts to prevent data corruption.
• Player asset integrity is maintained — NFT ownership, token balances, and game progression are preserved through upgrades.
• Game state consistency is validated — All game mechanics function correctly after upgrade with comprehensive testing.

Migration Security

• Phased migration with testing phases — Large migrations happen in stages with testnet validation and limited rollouts.
• Asset lock periods during migration — Player assets are secured during migration processes to prevent loss or duplication.
• Emergency halt mechanisms — Ability to pause migration if issues are discovered mid-process.

Red Flags

• Single address controlling upgrade functions
• No testing procedures for storage layout changes
• Missing rollback capabilities for failed upgrades
• No player notification or withdrawal periods before major changes

8. Gas Optimization & Performance

Why It Matters

Security Checks

Transaction Cost Management

• Batch operations are gas-efficient — Multiple actions can be batched into single transactions to reduce costs.
• Common actions are optimized for gas usage — Frequently used game functions minimize gas consumption through efficient code patterns.
• Gas limit DoS attacks are prevented — Functions cannot be manipulated to consume excessive gas and fail transactions.

Smart Contract Performance

• Loops are bounded and safe — Array iterations and batch operations have maximum limits to prevent gas limit issues.
• Storage optimization is implemented — Game data uses efficient storage patterns to minimize gas costs.
• View function optimization — Read-only game state queries are optimized for fast response times.

Network Compatibility

• Multi-chain deployment considerations — Gas optimization is appropriate for target blockchain networks.
• Layer 2 integration is secure — Proper bridge security and state synchronization for scaling solutions.
• Emergency function gas costs — Critical emergency functions remain callable even during network congestion.

Red Flags

• Unbounded loops in user-callable functions
• No batch operation capabilities for frequent actions
• Excessive storage usage for simple game data
• Emergency functions with prohibitive gas costs

Integration Checklist: Popular GameFi Platforms

Polygon & Gaming Scaling

• Bridge security is audited — Asset transfers between mainnet and scaling solutions are properly secured
• State synchronization is maintained — Game state remains consistent across layer 1 and layer 2
• Withdrawal security is implemented — Player asset withdrawals from scaling solutions are properly validated

NFT Marketplace Integrations

• Approval mechanisms respect game locks — External marketplace approvals check for in-game asset locks
• Royalty enforcement is maintained — Creator royalties cannot be bypassed through external trades
• Price manipulation resistance — External market prices cannot manipulate in-game economies

Conclusion: Build GameFi Protocols That Last

Get in Touch

Additional Resources

• Rekt News - GameFi Exploits — Post-mortems of major GameFi and NFT exploits
• Chainlink VRF Documentation — Official guide for implementing verifiable randomness
• OpenZeppelin Security Patterns — Battle-tested contract patterns for gaming
• Immunefi GameFi Bug Bounties — Active bug bounty programs for gaming protocols
• Zealynx GameFi Security Resources — Extended checklists and audit examples

FAQ: GameFi Security

Glossary