Building a secure NFT gaming experience. A Herdsman’s diary

  • Wool pouch: An ERC20-emitting ERC721 token. Users can claim unlocked WOOL from pouches and trade the pouch NFTs on the secondary market.
  • Distribution / risky game: Sheep holders can choose between claiming a WOOL pouch containing a set amount of WOOL and fighting wolves for a larger WOOL payout.

Cheating randomness

Users can revert unwanted outcomes

Random numbers can leak in advance


Pseudo-randomness isn’t random

Wolf Game implementation

RiskyGame ChainLink VRF code. initateRiskGame() sets optInEnabled to false, preventing users from taking further actions until the random value arrives.
Chainlink VRF request & receive data cycle. The random number is received via callback after a 10 blocks.

On the safety of WOOL pouches

Wool pouches emit precious ERC20 tokens linearly over a predefined timespan.
Basic front-running protection: Transfers will revert if WOOL was claimed in the same block.

Integer magic

Pouch storage layout in WoolPouch.sol
function function1() external view returns (uint256) {uint8 x = 128;uint256 y = x * 2;}function function2() external view returns (uint256) {uint8 x = 128;uint256 y = x * 100000;
When in doubt, always cast to uint256.
uint128 unstaked_earnings = (MIGRATION_TIMESTAMP - BARN_PAUSE_TIMESTAMP) / 1 days * 10000 ether;
(((MIGRATION_TIMESTAMP - BARN_PAUSE_TIMESTAMP) / 86400) * 10000) * 1e18)
uint128 unstaked_earnings = (MIGRATION_TIMESTAMP - BARN_PAUSE_TIMESTAMP) * 10000 ether / 1 days;

Final smart contracts and bug bounty

Further reading




Hackers (1994) fan • Aspiring composer • Angel Investor • Art Collector • P(G(F)) = ∀y q(y, G(F))

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Santa’s Devs

The best Hardware Wallets in 2022

Ransomware: A Life-Altering Threat

Security Audit for ReserveLending+ (Update)

Securing Personal Data via Tokenization


Password unprotected — 4 ways to supercharge your security

{UPDATE} Puzzles Vehicles for Kids and Toddlers. Premium Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bernhard Mueller

Bernhard Mueller

Hackers (1994) fan • Aspiring composer • Angel Investor • Art Collector • P(G(F)) = ∀y q(y, G(F))

More from Medium

Proof of Stake with Solidity Support

Creating an NFT whitelist using Merkle Tree Proofs

ERC721Psi: A truly scalable NFT implementation for low-gas on-chain applications and randomized…

Due to the Avalanche effect of the keccak256 hash function, each token has a completely different seed.

On-chain NFTs, at what cost?