Exploring the Threats and Risks to NFT and Crypto Games
There is nothing more that excites me about the future than the combination of Non Fungible Tokens (NFTs) and Crypto integrated into gaming. However, my experience with programming, Decentralized Finance (DEFI) and gaming has taught me there are some significant threats and risks that make me very nervous around this sector. The following are my thoughts on each of these. Future articles will dive deeper into some of these topics, and also explain potential ways that teams can mitigate them.
Table of Contents
Economic Threats and Risks
Blockchain Threats and Risks
Gameplay related Threats and Risks
Development Threats and Risks
The Threat of Rule Breakers
Economic Threats and Risks
Failed Tokenomics
Getting the tokenomics of a game right is very difficult, and it can be argued that at the time of writing, there are no examples of long term sustainable games within the Web3 space. There are some promising games that make sense theoretically, but they have not launched yet, or have not been out for long enough to confirm they will succeed. There are multiple ways the tokenomics of a game can fail:
Hyperinflation of the tokens or NFTs: This was most famously seen in Axie Infinity, where players earn a token called Smooth Love Potion (SLP), which was then used to breed new Axie NFTs, which in turn allowed players to earn more SLP, and so on. This worked for a period of time, as the number of players increased, but as soon as that slowed and the prices were too high, the economy collapsed due to a parabolic explosion in the supply of SLP and Axies.
Airdropping of too many NFTs, or too much initial supply: This can result in dilution of the ecosystem value, and result in all of the NFTs trending down.
Not rewarding whales: This can actually be an issue, in that someone with 10 NFTs should be rewarded roughly 10x as much as someone with 1 NFT. Without this, there is little incentive to hold more NFTs, and others will try to get around the limit by splitting up the NFTs between wallets, leading to dissatisfaction with those that didn’t.
Not providing enough utility to the NFTs
If the price of the land NFT is too high, it can limit the accessibility of builders to create within the game/world.
Too much in built inflation, either through inflationary staking rewards or founder/investor unlocks.
The Token does not have value: A ‘worthless governance token’ was a meme during the DEFI summer, and unfortunately actually became true in many cases. If a token's only utility is governance, has no revenue share, or is used as the currency to list NFTs, then it is likely not enough for long term value.
Too high financial barrier to entry: Some games may require hundreds of dollars to start, which is far higher than most traditional games at full cost. We saw this with Axie infinity at the top, and now Wolf Game has a similar high starting entry point. This can lead to the game running out of steam with no new players entering the ecosystem.
Speculative Bubbles
Throughout history, humans have been subject to speculative bubbles. This is when the price of an asset rises significantly above its intrinsic value, often rising at an ever increasing rate, before an eventual collapse. A game with sound tokenomics and significant utility for the NFTs could still be subject to speculative bubbles. As the players see the price rising steadily with organic growth of the game, this could lead users to expect higher prices in the future. Predicting this, they front-run the growth and buy more, pushing the price up. As others see the price go up, they decide to buy more, specifically to make money off the assets as an investment, not because they care about the game. The end result is at some point there will be no more buyers at a certain price, and the prices will collapse, leading to potentially significant reputation damage to the game. In addition to this, we already saw games in an unreleased or alpha state with low Daily Active Users (DAU) reaching bubble prices just based on speculation, Play to Earn, and Metaverse hype.
The Metaverse Index, comprised of popular Gaming and Metaverse tokens
Pressure from Holders
The relationship between the players and the developers can play out differently in the Web3 space compared to traditional games. While in Web2, the players are often just focused on fun, balance, and release dates, in Web3 there is the incentive for holders to pressure the team into making decisions to increase the price of the assets. For example, NFT holders may request the team airdrop new NFTs, or even tokens to them. This often can result in short term increases in floor price, however in the end it often will result in the team needing to deliver value to even more assets and tokens, and can have a long term negative effect. Holders may also request the team to launch the game before it is ready, which can result in bugs, a game that is not fun, or issues with the tokenomics.
Pressure from Investors
Investors also can be a source of pressure to the team, which can result in negative consequences in the long run. The most common scenario is that the early investors will get access to a percentage of the in-game token, often after some vesting period. However, some games do not need tokens, and can result in the team making a game that is both not fun, and has economic problems.The investors will often instantly dump the tokens as soon as they are released to them, ensuring they make a profit, and the token will often continue to trend towards zero unless there is a true demand for it, which can only come from a fun game and sound tokenomics.
Exploitation of scholars
The term scholar was popularized by Axie Infinity, where holders of the NFTs could loan 3 of their Axie characters to other players (scholars), who would then play for them daily to earn the in-game currency (SLP). There would be a revenue share between the holder/managers and scholars. During the peak, Axie scholars could make over $100 USD per day, which was a huge sum for the players, especially living in lower cost areas such as in the Philippines. For a period of time, the demand for Axie’s exceeded the supply, resulting in a huge number of scholars desperate to apply.
Unfortunately, with the power dynamic, this resulted in a number of managers attempting to exploit the scholars, either through over-working, or in the worst case there was an example where the Axie Infinity team revealed that some managers were asking scholars for revealing pictures of themselves in exchange for being selected as a scholar. In the Web2 world we also saw similar examples where in World of Warcraft (WOW) there were overcrowded houses of people working long hours to farm the in game currency (gold) and sell on the ‘black market’.
Regulation
There is lack of clear guidelines on how NFTs and gaming tokens should be treated from a regulatory standpoint. Tokens which can receive earnings from a game, or NFTs which are staked and receive tokens could be considered securities. Recently the FTX token, FTT was labeled as security by the Securities Exchange commission, sending a warning message to Web3 gaming companies.
Blockchain Threats and Risks
Loss of assets
One of the main benefits of blockchain is that transactions are not reversible. The downside is that once an asset is lost on the blockchain, there is not much the player or developers can do, each person is responsible for the custody and security of their own assets. In Web2, the transactions could be reversed by the developers, as we have seen before in a large Counter Strike:GO hack, where secondary buyers transactions were reversed, leaving them out of pocket. There are a significant number of ways players can lose their assets, many specific to Web3. These include:
A player could lose their private keys/seed phrase through misplacing them, incorrect recording/not recording at all, physical damage, physical theft.
A player could have their wallet compromised by a hacker gaining access to the keys, using methods such as: fake websites, fake wallet plugins, pretending to be metamask/ledger support, recording their keys digitally and having their computer/account hacked.
A player can lose access to one or more assets by signing a transaction on a fake website, a legitimate website/open source could be compromised, a scammer could set up a fake OTC trade on a trading website (using fake NFTs, or an NFT disguised as Wrapped ETH), inside job by a developer, domain takeover of a legitimate website, be tricked into selling their assets for 0 ETH with a gasless signature, fake middleman/impersonators of reputable traders/community moderators/personalities on twitter and discord.
A player's computer could be hacked, resulting in them losing all assets, or being tricked to sign bad transactions. There can be malicious code hidden in Word documents/PDFs, or fake game executables. In some cases, even a hardware wallet was not enough, as a spear phishing payload resulted in the CEO Nexus Mutual being targeted and signing a hardware wallet transaction due to a compromised metamask plugin.
Exploits of smart contracts
Smart contracts are code stored on the blockchain, and are utilized for Decentralized Finance, NFTs, and also Gaming. The security of a smart contract can be determined by a rough equation of the total value of the assets that smart contract secures, multiplied by the time it has secured those assets. This is of course not a specific equation. Some of the most secure DEFI protocols are Compound and AAVE, both of which have secured billions of dollars of assets for multiple years. However, we have seen a significant number of hacks over the last few years, and large sums of assets have been stolen. We are at a point where new DEFI protocols should be assumed exploitable. Web3 gaming will also rely on smart contracts for its NFTs, tokens, staking and some game mechanics. This is all code, of which could be exploited.
The Illuvium staking contract already was exploited, resulting in some issues, but luckily it was able to be resolved due to the game not being released. In the future, we could see an infinite mint of tokens, destruction or duplication of assets, hacking of scores, etc. While 3rd party audits do offer a level of comfort, they are unfortunately not enough, as many contracts that had audits were still later exploited.
Exploits of Bridges
Bridges are utilized to transport crypto from one blockchain to another. Because gaming often requires many actions on the blockchain, it is common for games to be built on cheaper blockchains or Layer 2 solutions, and therefore players often need to bridge funds first. Centralized Bridges have funds on each side, and depositing on one side will result in a credit on the other side of the bridge, after a short delay. These types of bridges are less secure, as they rely on a centralized party managing funds on each end. Decentralized bridges use smart contracts to lock and credit funds, and usually have a far larger delay in withdrawals, although they are more transparent in their security.
Unfortunately, bridges have been exploited and drained many times over the last few years, and are thought to be one of the weak points in crypto. Vitalik Buterin, the founder of Ethereum even believes that they will not be part of the long run future of crypto due to their security limitations.
Examples of significant Bridge hacks:
Fragile Blockchains
When gaming assets are stored on a blockchain, the game will be counting on the blockchain being available 24/7, and having low fees. The blockchain Trilemma states there is always a conflict between the 3 factors: Decentralization, scalability, security. The problem arises in that games need cheap transactions (scalability), which unfortunately means there may need to be some compromises on the Decentralization or security side. We have seen instances of the Solana blockchain going down for significant periods of time over the last year, which is a big problem for gaming. In addition, due to the low cost of transactions, this can lead to the network sometimes being spammed and becoming unusable, as we have seen on Polygon Network, when the ‘The Sunflower Game’ had a large number of bots. To contrast, the Ethereum main-net is very secure and decentralized, but it is not fast or cheap enough for most on-chain games.
Gameplay related Threats and Risks
Power Creep
Power creep refers to the process by which new content or adjustments in a game make older content or options obsolete. This can occur naturally as a game is updated and older content is reworked to keep up with newer additions. However, power creep can also be intentionally created by developers to make paid, newly released content more powerful than older options, in an effort to entice players to purchase in order to stay competitive.
In games like Hearthstone (a card game), power creep may manifest as the introduction of new cards with higher health than existing cards. In games with large rosters of characters, like League of Legends (a Multiplayer Online Battle Arena), power creep can be a particular challenge for developers to manage. The newer characters will often have more advanced and powerful mechanics, to entice players to purchase them. To mitigate the effects of power creep, developers may need to continually balance and rework older characters in order to keep the game as balanced as possible.
Pay to Win
Pay to win games are where the player is able to purchase in-game items, characters, and consumables which allow them to gain an advantage over other players. While pay to win games are often free to play, this is the opposite of games where the revenue of the game is earnt through purchasing of cosmetics only, which give no gameplay advantage within the game, for example, LOL, Fortnite or CSGO. The issue with pay to win games is that it prioritizes player spending over player skill, which can lead to dissatisfaction in the player base, and difficulty to gain new players. Examples of pay to win:
Access to stronger characters.
Purchase of stronger weapons/armor.
Speed up of building in mobile games, allowing faster progress.
One time use power ups that give stat boosts.
Paid access to areas which provide stronger loot.
With the addition of tokens and NFTs, it is expected that some games will have similar problems with pay to win, especially if there is a secondary market for these items, where more wealthy players can pay their way to the top. A small percentage of players, known as "whales," make up a significant portion of the revenue for free-to-play mobile games. These players tend to spend a considerable amount on in-game micro-transactions and other forms of content, despite comprising a relatively small part of the overall player base.
Games that are not fun
The play to earn model, in which developers prioritize the economic model of a game over aspects that make it enjoyable to play, has been a subject of criticism in the gaming industry. This model can lead to a less enjoyable experience for players, as the efforts required to unlock NFTs in the game may be unnecessarily arduous and take away from the fun of earning those NFTs. The pursuit of financial gain from a game can also detract from the enjoyment that players derive from the actual game-play, regardless of how immersive it may be. In some cases, this can result in dissatisfaction among players if they feel that the game has become more of a chore than an enjoyable activity. It is also notoriously difficult to make a fun game in the first place, something traditional game developers have struggled with for decades.
Development Threats and Risks
Failed Time Estimates
A common phrase that players/holders will ask is ‘Wen launch?”, and a common reply by the team is “Soon™”. Soon™ is an old phrase first said by the World of Warcraft (a popular MMORPG game) developers, in reference to when the new updates will be out. This has become commonplace in gaming and DEFI, due to the difficulty of actually estimating when a complex deliverable will be complete. Often teams will put up a roadmap on their website or whitepapers, with what Month/Quarter of which year, or even dates that they will deliver certain features. However, time estimation of complex development work is one of the most difficult activities to complete in advance, so much so that there is a great book which calls Estimates ‘The dark art’. There are already examples within the Web2 and Web3 space where teams initial deadlines have been significantly missed:
It should be noted that the above table is not here to shame the above projects, but to show how easy it is to underestimate complex tasks, and that even skilled and dedicated developers can still fall short of their initial estimates.
Burnout
The game industry is a demanding and stressful place to work. Game developers often put in long hours, including weekends and holidays, in order to meet tight deadlines and produce high-quality products. They may also feel pressure to make the games that are financially successful, which can add to their stress and pressure. Pressure from investors and holders also will make them work harder, in an attempt to launch faster. In addition, they often have their own holdings through NFTs or tokens, which means they are incentivized to make the game a success by the time their tokens unlock. Kain Warwick of Illuivum has said all 3 of the founding brothers have been hospitalized during the development of the game, suggesting the long hours working contributed to it.
Low incentive for developers to deliver
Investors may be prone to FOMO (fear of missing out) in the volatile NFT market, particularly during presales. This can occur even before the development team has released a product. In these cases, the project is essentially selling an idea or vision to investors, often raising large sums of money through initial token minting. However, if the primary goal of the project is to generate profit rather than to build and improve the product, the team may lose motivation and potentially abandon the project after pocketing the presale funding. This increases the risk of "rug pulling," where the project is suddenly discontinued or fails to meet it’s deliverables. There can be a ‘Slow Rug’ also, where the team delivers the bare minimum to meet their promises, without regard for quality or timeframes, but just to tick a box, and often spending only a fraction of the raised money on the project. In the Web2 world, we see a similar scenario, where developers raise money through crowdfunding websites like Kickstarter, and these projects are often low quality, late, or never delivered at all.
Failed Games
It is the unfortunate reality that the majority of games do not meet their financial goals. The game industry is very competitive, with a large amount of games on offer for gamers to choose on what to spend their time on. For games where there is an upfront payment, as long as there are enough sales in the initial sale of the game, it does not matter so much if the game dies out afterwards. However, for multiplayer games that depend on a large number of active players, the game losing popularity can lead to the devaluation of the in-game items/currencies. While there are a number of games that have been popular for 10-20+ years, the majority of similar games only have a lifespan of a few years, or less. The games that have been able to maintain popularity using the following methods:
An easy to start, hard to master Player vs Player (PvP) game loop that can be repeated, much like a sport (eSports), examples are Counter Strike, League of Legends, Fortnite, Dota2, and Starcraft.
Ability for users to generate new content for infinite replay-ability, as seen in Minecraft and Roblox.
Games with regular updates and grinding, resulting in players spending a large amount of time to reach content which can result in difficult end game PvP or Player vs Environment (PvE), for example in World of Warcraft or Runescape.
The issue in Web3, is that many games sell tokens and NFTs up front, and even if they don’t, it is expected that players could sink significant financial resources into the games. Unfortunately, as seen in the Web2 space, the majority of games trying to replicate the successful examples above fail, and therefore it is expected that most Web3 games will not last more than a few years, if that, and therefore players investments will be lost.
The Threat of Rule Breakers
Bots
Bots in gaming refers to the usage of automated means to play the game, in an attempt to gather more resources and progress faster than other players. Botters will use programs that have been built to play the game without user input, and are often applied to more simple tasks, such as gathering of resources. The bots can also be scaled in a way that an individual person could be running a large number of bots in parallel, gathering huge amounts in a short period of time. This can have significant consequences for the economy, leading to downward pressure on prices, and in the worst case a total collapse of the economy. The use of bots by a small number of individuals or groups can lead to frustration among manual players who feel that their efforts are being devalued by decreased prices and a sense of unfairness. This can occur when bots are used to manipulate prices or game systems in a way that undermines the integrity of the game, and diminishes the value of manual players' contributions. Some developers will sell access to their bot programs, while others will sell the harvested resources on 3rd party markets to convert to fiat currency. We have seen this in Web2 games such as World of Warcraft and Runescape, and also Web3 games:
Axie Infinity
Aavegotchi
Bugs
Bugs in the code of a Web3 game can have unintended consequences for players and the game's economy. Examples of bugs in Web3 games that could cause significant harm:
Infinite gold/resource generation.
Duplication of items, as seen in Team Fortress 2, and Runescape.
Ability to skip areas/progress faster than others.
Ability to win a PvP or PvE encounter where there are resources/Items/NFTs on the line.
It's worth noting that these types of bugs are often found in the game code rather than the smart contract code, making them more difficult to analyze and audit. This is because game code is prone to frequent changes and may not always be visible to players.
Cheaters
Cheating has been a problem in traditional online games, and will continue to be an issue in newer blockchain-based games, particularly when NFTs and tokens with real economic value are involved. Players who prioritize winning above fair play may be more motivated to cheat in order to earn rewards. Some common examples of cheating methods include:
Scripting: This is where the cheater uses a program to automatically perform micro actions, for example sidestepping an incoming attack.
Aimbot: In games where aim is relevant, such as first person shooters, hacks can be used to automatically aim for the cheater, often performing inhuman reflexes and tracking.
Wall hacks: In 3D games where there are walls, wall hacks provide the cheater with the ability to see enemies through the walls, allowing them to both anticipate movement, and in some cases shoot enemies through the wall if the game allows it.
Information Hacks: In some games such as League of Legends, information about the enemy may be unknown to the player, such as does the enemy have their ultimate ability ready for use. Hacks can allow a cheater to expose that information, which gains them an advantage for decision making.
Speed hacks: Speed hacks allow the cheater to move around faster than other players, which results in them being able to reach areas faster, or dodge attacks.
Match Fixing: Players of similar skills can attempt to get into the same games and lose on purpose so their friend (or paid client) can win, also called win trading.
Boosting: A highly skilled player is (often) paid by a lower skilled player to either play on their account, or will play in their team using a lower ranked account (a smurf account).
Conclusion
Despite a bright future for games that integrate NFTs and crypto, there are many threats and risks they must face on their path to success. These threats and risks fall under the categories of Economic, Blockchain, Development, Gamplay, and Rule breakers. I kindly request that you forward this article to your favorite Web3 gaming team, and ask them how they will mitigate the points above. Future articles will discuss these risks and threats in more detail, and how teams can mitigate them, so please subscribe!
Please also follow me at: https://twitter.com/ABBBBBB_NFT