Wanaka Farm, the NFT game that by taking care of a farm, crops and raising animals, positioned itself as one of the games that generated the most enthusiasm and attention for the Play To Earn community, it is on the verge of failure. By gathering more than one hundred thousand people in their Official Telegram group and various strategic alliances that made their future projections look solid, there was no doubt that the community expected a lot from its long-term development.

However, recently the game tokens WANA and WAI they have only set new historical lows, due to problems with the deposits, errors in serving due to oversaturation and bugs in the gameplay, but this has not been the most catastrophic event for the NFT game. Thanks to the research carried out by one of Axie Infinity’s security auditors, we introduce you risks that were not taken into account by its programmers and that it meant earnings of more than a million dollars in game tokens for the perpetrators.

The giant with mud on his feet

In order to provide the most objective position regarding the theft of money within the game, it should be noted that the start of Wanaka Farm he was hurt by his unexpected success. According to the developers, the number of users who wanted to participate when access to the ecosystem was first allowed, caused server response failures, transactions that were not credited and that this would lead to having to take emergency measures to guarantee funds to those who reported this type of mishap.

The initial estimate, they expected to only have 100,000 players simultaneously and thus perform the stress tests, but the peak of 200,000 people that registered the game, even caused that when opening a predetermined terrain, some of them have not been able to access the property they had acquired. The level of complexity that the first hours of operation meant, meant that Amazon Web Services developers had to step in To avoid that the damage caused was greater, all these comments can be corroborated through the following link.

Although the developers they showed quite a positive attitude, ensuring that the situation that occurred is within their circle of competence and that they will be able to offer stability to users, the price of the tokens linked to the game, has not shown that community users endorse its comments.

At the time this article is written, the price of WANA and WAI from its all-time highs, has made a negative journey of 63% and 80% for the quote. Although it seems that the worst that could have happened has already happened, the investigation regarding the hacking of funds predicts a much darker future for users.

4-hour chart of the WANA / BUSD pair (PancakeSwap). Source: TradingView.

4-hour chart of the WAI / BUSD pair (PancakeSwap). Source: TradingView.

Investigators pronounce their verdict

To make clear the weight of this accusation, it is necessary to present the actors who participated in its recognition, first of all, the company specialized in Blockchain Verichain, is responsible for providing security and auditing services to provide certificates with the possibility of verification in different protocols, managing consensus management, smart contracts and decentralized applications, one of his most prominent clients is the company behind the popular game Axie Infinity, Sky Mavis.

On the other hand, the computer security company Block Security Shield, BShield, is responsible for providing security protocols that protect the chain of blocks of its clients, guaranteeing that it is private, safe and accessible, counting at your disposal with clients such as the cryptocurrency of Meta Libra, Bitfinex and Coinbase. The joint work of these two titans of the security industry, allowed to identify an unusual pattern of use in wallets belonging to Wanaka Farm, where through small transactions and repetitive movements, it was determined that the total extraction reached the figure of one million dollars in game token.

On November 18 this year, Wanaka Farm team members informed their Telegram users the problems they were having due to the server traffic, in addition to pointing out that measures would be taken with the developers to assess the damage caused to the infrastructure, also making public a document in Google Docs so that those to whom deposits or withdrawals were not credited, could report how much and how they had performed the phantom operation on their wallets.

This situation gave rise to curiosity of the researchers, who identified that for on November 11, 1,000 wallets were created in which 0.02 BNB was dispersed in each of them for transaction costs. In one of the transactions carried out, it was possible to detect a 270 WANA movement in deposit mode from the official game contract, the curious thing about the operation is when instead of appearing as a deposit, the following six transactions that were recorded on the blockchain they were retired for the same amount, After that, the total amount of $ 1,350 WANA was concentrated in one of the wallets that were created that day with the money from the accounts involved in the theft.

Based on the conclusions reached, it seems that the background running API continued to be activated for withdrawals without waiting for an asset balance confirmation in the wallet, which means that the person with the initial amount, was able to continue emptying the coffers of the game. In view of the situation, the developers chose to turn off the API that generated the error to fix the problem, however, the damage to the economy had already been done.

The attacker managed to collect all the funds at the following address, taking the sum of USD 310,000 that sold at first after having collected the capital, but a pause could be detected due to the imminent fall in price, sensing that seeing the speed of the price drop the attacker decided to wait for liquidity. It should be noted that the estimate, si did this from all wallets that were created with the same amounts that day and possibly allocated to the same person, the damage caused was 1,000 wallets x 1,350 WANA stolen in each one, that is equivalent to about 1 to 2 million WANA stolen, being able to approach the figure of approximately its equivalent in millions of dollars for the operation. You can confirm other wallets of the attacker at the following addresses, one, two, three.

