💻Security

Arcade guarantees that scores are secure to ensure honest rewarding of players

The Arcade protocol employs a few different methods to make sure that legitimate scores are generated by legitimate games, and not susceptible to various attacks, so that you can rest assured that malicious players cannot ruin the atmosphere of competition amongst the community.

Games will always cost $COIN to play, so this raises the barrier for entry of malicious entities.

Here is a list of our current methods:

  • All API requests require an API key and an API secret

    • This ensures that only the web app itself can communicate with the database where we store game meta data.

  • We only let https://arcade.money serve API requests to the web server.

    • This is an extra layer of security to ensure that API requests are made by the protocol and not a 3rd party.

  • Database credentials are stored off the client

    • Only the webserver will know how to connect to the database, and so the only way to store information on the database outside this environment is via the API request

  • Game data is verified against an Ethereum transaction

    • To start a game you must sign a transaction with your wallet. Once a game is completed, the game data is sent to the backend where the transaction is verified properly.

    • Duplicate transaction hashes are rejected, preventing a pay once play many attack.

  • Game data validation & sanitisation

    • All game data that can be potentially manipulated on the client passes through a series of checks to ensure that no injection attacks can take place

  • Scores are generated using a secret key by the webapp, which are then verified on the server before they're stored into the database

    • This ensures that any data sent to the web server can't be tampered with

  • Games are simulated on the web server to check that impossible scores aren't generated

    • For example, if the server sees a game being submitted that lasted 1 second but got a score of 10,000,000 we can, without a doubt, determine that this is an invalid game and then we can reject it.

    • We can verify duration of games using the time between the moment the game transaction is confirmed on the blockchain and the time the API request is made when the game was finished

For added security, we also have implemented rate limiting and HTTPS redirects to prevent DDoS attacks and man-in-the-middle attacks.

Last updated