TLDR
- Developer Kautuk Kundan claims to have hacked Atari’s “on-chain” Asteroids game on Base
- Kundan says he manipulated the game’s leaderboard without playing to prove it’s not truly on-chain
- The game reportedly uses API calls to Web2 servers rather than blockchain transactions
- Kundan argues true on-chain games should be verifiable on the blockchain
- He promotes his own “Proof of Gameplay” system as a solution for blockchain game verification
A developer has revealed vulnerabilities in Atari’s recently launched “on-chain” Asteroids game, raising questions about the true nature of blockchain-based gaming.
Kautuk Kundan, founder and CEO of Stackr Labs, claims to have manipulated the game’s leaderboard without playing a single round, exposing what he sees as flaws in its blockchain implementation.
Atari released the Asteroids game on July 25 in partnership with Base, Coinbase’s Ethereum layer-2 network. The game offered players the chance to compete for prizes, including a $1,000 Atari gift card, by climbing the leaderboard.
Kundan shared his findings on social media on August 6. He explained that he and his team at Stackr Labs were able to sabotage the leaderboard simply by sending API calls to Web2 servers. This method, according to Kundan, proves that the game is not truly “on-chain” as advertised.
We hacked @base and @atari’s arcade and sabotaged the leaderboard without playing a single game –
And this is why people have trust issues with crypto apps 🤷🏻♂️
“On-chain” is becoming a throwaway term for a majority of consumer tech. As a community, we should be doing better than… pic.twitter.com/nAiMPi7cSs
— Kautuk ⟠ (@Kautukkundan) August 5, 2024
“The game is not actually on-chain. When the user starts the game nothing happens on-chain, at the end of the game when you get a score, you state that score and you put in an API call,” Kundan stated.
He further noted that while he and his team did not alter any other scores on the leaderboard, the vulnerability they discovered could potentially allow other actors to manipulate their scores and unfairly climb the rankings.
Kundan argues that for a game to be genuinely “on-chain,” it should produce commitments that are verifiable on the blockchain itself.
He used this example to promote a concept called Proof of Gameplay, an Ethereum roll-up system developed by his own company, Stackr.
An on-chain app is not just about minting an NFT and calling it a day, it should actually mean something. At the very least, i should not be able to manipulate the scores just by sending API calls to web2 servers.
Even if the app runs off-chain, it should produce commitments… pic.twitter.com/WUKGBA92mE
— Kautuk ⟠ (@Kautukkundan) August 5, 2024
“Even if the app runs off-chain, it should produce commitments that are on-chain verifiable,”
Kundan explained, emphasizing the importance of blockchain verification in crypto applications.
The developer stressed that his actions were not intended as a “negative call-out” but rather an “attempt to improve upon, and find solutions for persistent problems” in crypto applications. He sees this as an opportunity to push for better standards in blockchain gaming and crypto applications in general.
This incident highlights ongoing challenges in the blockchain gaming space, particularly in ensuring true on-chain functionality and maintaining game integrity. As the industry continues to evolve, developers and companies may need to address these issues to build trust and deliver on the promise of blockchain technology in gaming.
Atari and Base have not yet publicly responded to Kundan’s claims. The long-term implications for the Asteroids game and similar blockchain-based projects remain to be seen.