Vulnerabilities in smart-contract-based Gacha-style random draws is a growing concern as D2E games grow in popularity


‘Gacha’ is derived from the Japanese word ‘がちゃ’, describing the sound of metals hitting against each other, like the sound you hear from toy vending machines. Similar to loot boxes, gacha games induce players to spend in-game currencies to receive a randomly generated in-game item.

Given the random draw aspects of the game, this style is becoming popular in the GameFi segment of the DeFi ecosystem. As hacks remain a major concern in this ecosystem, our team at Sooho.io have been looking into the security of such games, in partnership with our clients.

In this article, we’re going to talk about the potential weaknesses that lie within the probability-based random draw functionality of these games when applied in a Web3 play-to-earn (P2E) setting. These vulnerabilities are inherent in all gacha-style NFT games that use a smart contract for the random draw process. As this approach is becoming more prevalent for the minting of NFTs in P2E games, we want to explain how these vulnerabilities can be avoided.

Different popular utility models

Let’s take a look at the three utility models in these games that allow users to make a profit.

First, there’s P2E like in Axie Infinity. This game uses the method of purchasing three Axie characters and obtaining a smooth love potion (SLP). Each player can earn through gameplay by selling characters and items according to the market price within the P2E economy, or through a breeding method, which involves obtaining better skill cards through mating characters and selling them at a higher price.

Second, there’s a move-to-earn (M2E) model in which digital sneakers, such as those used in STEPN, are purchased as grade-specific NFTs. Then the energy accumulated every day results in mined GST tokens, as calculated by the distance traveled through exercise. Like Axie, STEPN has the function of minting new shoes through crosslinking with the mined GST.

For the third example, and the method we are discussing today, is the NFT minting method based on probability-based random draws, or draw-to-earn (D2E). Generally speaking, this random draw model is a good approach for P2E. Each player can generate revenue by drawing cards via attempts at a random NFT draw, to acquire both good skill cards and rare cards. However, certain vulnerabilities may arise in using this random draw function when smart contracts are the basis for the draw.

Flaws in draw-to-earn design

In a smart contract execution environment, since the execution value is basically verified by all network participants as part of a decentralized network, this means the mechanics are exposed to everyone, and the value of the draw is therefore accessible via calculation. As such, all the supposedly random outcomes are actually computable.

Like anything else, NFT-based systems require proper implementation by the developer to be effective against compromise. Managing a database should firstly guarantee protection from intruders and secondly consider potential redundant copies of the data contained within it somewhere. If a public database were to be compromised, the loss of data stored could mean to a gamer a loss of assets purchased using in-game currency or real-life money. And without transaction data accessible on the user-end, these potential vulnerabilities are sure to have a compounding negative effect on the user’s sense of ownership over their own minted NFTs.

While NFTs are relatively secure, it’s no secret that hackers are constantly looking for new ways to steal something physical or digital. The rapid growth of money tokens, as something already in-game and in motion, has opened a unique revenue stream for hackers.

The element of surprise in the minting process has become very desirable for a lot of NFT projects, so in keeping the ‘luck of the draw’ it’s important that users aren’t able to determine anything about their NFT ahead of time.

We are also seeing increasingly creative and varied minting strategies in which the raffle draw approach is used. For example, The Project URS raffle draw method allots shares to buyers based on their subscription size. If the subscription exceeds the total number of shares available, then the shares would be allotted using a random draw.

Thus, in a typical software execution environment, the random number draw will require an alternative generation model, by generating random outcomes from unpredictable input values. Examples of such random input values could take the form of the user’s mouse movement or CPU temperature at the exact time of the draw. Alternatively, the system could take random values from a centralized environment that exists outside of the smart contract.

Sooho.io’s suggestions

Increasingly adopted in the NFT sphere, developers can revert to smart contracts behind the system currently in play, using it as a basis for fixes to vulnerabilities. Where information isn’t always transparent, Sooho.io’s automatic smart auditing tools can increase confidence for businesses and in-game NFT holders.

To ensure fair and fun gameplay, P2E (play-to-earn), M2E (move-to-earn), and D2E (draw-to-earn) projects all need to provide customers with a stable execution environment. They can achieve this with the support of service architecture consulting from a professional security audit company, or by using authenticated functions such as Chainlink VRF.


As a security researcher of DeFi infrastructure service provider Sooho.io, Jasper Lee conducts security audits of various DeFi and NFT services such as KLEVA and Klaycity.

Headquartered in South Korea, the company aims to become the SWIFT for Web3.0 and connect the Korean DeFi ecosystem with the rest of the world. The company specializes in developing DeFi products and smart contract auditing, offering one-stop customizable solutions to financial institutions.

TechNode Global INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.

Now on its third year, the ORIGIN Innovation Awards draws inspiration from the United Nations Sustainable Development Goals (SDGs) and seeks to recognize and celebrate exemplary entrepreneurs, businesses, investors, and innovation ecosystem drivers that embody the spirit of outstanding innovation and are actively promulgating sustainability in their business practices.

A deep dive into the DeFi Space with Sooho.io’s Jisu Park [Q&A]