It appears that #DookeyDash was widely botted and unfortunately @BoredApeYC/@yugalabs is to blame. (1/43)
I was tasked with investigating behind the scenes after numerous videos of gameplay were being posted that showed them hitting all the obstacles with absolute precision and predictability. (2/43)
Our team shortly discovered that it was possible to plug in a "course seed" and generate the exact architecture/map of the course, down to the very last obstacle, at the start of every game, and it is 100% undetectable.
Here is a thread on how it was done. 🧵 (3/43)
Here is a thread on how it was done. 🧵 (3/43)
Let me first say that I highly respect @BoredApeYC/@yugalabs and what they have done for NFTs. The fact that they continue to deliver is outstanding. Crypto/NFT gaming is the future and being at the forefront is admirable. (4/43)
However, when stakes are high, you have to be extremely calculated with your releases. (5/43)
With that said, let's start with how it was accomplished.
When you initiate a game, the server provides you with a unique "course seed" hash for that session.
That seed is then used locally as a variable that interacts with a javascript file that maps out the course. (6/43)
When you initiate a game, the server provides you with a unique "course seed" hash for that session.
That seed is then used locally as a variable that interacts with a javascript file that maps out the course. (6/43)
When you play the game, your mouse movements and clicks are all logged and hashed into "input data" that submits to the server for validation upon collision (death). (7/43)
Server validation is accomplished by matching the input data with the course seed, and making sure that all mouse movements and clicks were valid for that appropriate map. (8/43)
For example, it is making sure that you didn't go "out of bounds," or that you didn't travel "through" any static obstacles, or that you didn't teleport around or exceed the allowed movement rate. (9/43)
If you fail validation, you receive the "You thought you could scam us" message. This is also why if you lagged in the game at any point(s), you were susceptible to receiving a false positive. (10/43)
With the course seed being the key to mapping out the entire course, all you had to do was navigate to the 530-99dd62c1818e8d74.js file, find the appropriate functions, and plug it in. (11/43)
With the "createChunk" function, you can call unlimited chunk creations and map out the course as far as you want. (12/43)
Here's the thing, this is all done locally on your device. You play the game and generate the data on your device, and then you match input data with the server for validation as explained above. That is why it is 100% undetectable. There is no server hacking involved. (13/43)
It is all there already for you to reverse engineer. 💻(14/43)
Of course, once you are able to map out the course, that is where botting comes into play. (15/43)
You know every single obstacle that is going to come at you, therefore you put together either a rule based bot to react to all those objects, or perhaps a "best path" algorithm that gets you past those objects, while collecting fragments efficiently. (16/43)
The botting portion is actually trivial, and again, undetectable, as it is equivalent to an "AI" using mouse movements and mouse clicks (which will be validated successfully by the server upon course completion). (17/43)
But, here is where Yuga messed up.😣All of the rules for the game were contained in the 530-99dd62c1818e8d4.js file in pretty much plain text. There was 0 obfuscation or encryption. This allowed for easy reverse engineering/following of the code required to build maps. (18/43)
I believe they realized that they screwed up, because on Monday, February 6th, they went down for maintenance and re-compiled the javascript files with partial obfuscation into a new 993-19359fd25878ad78.js file. However, at this point, it was too late. (19/43)
If you had the 530 file, you could simply match the functions to the new 993 file. (20/43)
So, you're probably wondering if this is just pure speculation or an unproven theory. It's not just a theory. It's fact. (21/43)
Our team went ahead and whipped up a quick bot (identifying information has been covered since the pass has since been sold), that instead of mapping out the whole course, calls chunks so it can see what is coming a few seconds before it reaches that obstacle. (22/43)
For the time spent on it, it actually performed very well. (23/43)
So, you may be thinking "Well, Yuga said they will validate manually." This is true. According to the public javascript files, they have the ability to "play back" all games using the course seed and the input data. (24/43)
However, it will look normal to them, because you aren't passing through objects illegally. You aren't teleporting to unreachable fragments. You aren't altering or obstructing the rules of the game in any manner. (25/43)
This is the "metadata" they are talking about - the input data providing your mouse movements and mouse clicks. (26/43)
If they do invalidate any of the scores, it would have to be based on their subjective assessment of whether it "looks" like a bot or not, and that's not a good strategy. Our bot, above, probably looks like a bot, because it was put together fairly quickly. (27/43)
However, a few weeks is more than enough time to put together realistic human movements. The only reason that I was called to look into this was because of some of the movements, although looking human, looked like they knew where to go next. (28/43)
If Yuga is going to invalidate scores based on whether they think the player knew what was coming X frames ahead, it's going to be a messy ride. (29/43)
🤖 You've likely been watching bots in plain sight. 🤖 (30/43)
You have seen recordings of top scores being achieved. Some even with "voice over." Could they have been legitimate? Sure. Could they have been sitting there, screen recording their bot on every run, and feigning excitement while their bot surpasses the high score? Sure. (31/43)
Botting + social engagement = perception of validity. 🧠 (32/43)
Even if someone is live streaming themselves "playing" on twitch, they may still simply be initiating their bot and moving their mouse around (which is likely locked via override), thus presenting the illusion that they are actually competing live. 🤯 (33/43)
Take what you see with a grain of salt. (34/43)
So, what could Yuga have done better?
1) They could have fed the course maps and data server side, like other online games do. This costs money, of course, because bandwidth is involved. (35/43)
1) They could have fed the course maps and data server side, like other online games do. This costs money, of course, because bandwidth is involved. (35/43)
2) Even if they didn't want to go the more costly way, they should have obfuscated/encrypted the game files. If they had originally released the 993 file, instead of the 530, it would have taken weeks to reverse engineer. Unfortunately, the 530 file only took a few hours. (36/43)
3) They could have established a dynamic system to feed course seeds at random intervals or checkpoints. Although, this too could be maneuvered. It would have been a significant speed bump, though. (37/43)
Why did I release this twitter thread?
1) Transparency: Everything going on behind the scenes should be known. No one should have special privilege to cheating when others are tirelessly competing. (38/43)
1) Transparency: Everything going on behind the scenes should be known. No one should have special privilege to cheating when others are tirelessly competing. (38/43)
2) It is likely that multiple bot runners were competing against each other, so given that one was bound to post something in spite, I felt like it was more productive to post this first. (39/43)
3) Accountability: An astronomical amount of money has been spent on this game. On Opensea alone, 35,000+ Ethereum has been traded on the secondary, which equates to $58,000,000. That's $3,000,000 in creator earnings going to BAYC/Yuga. (40/43)
Hundreds of thousands of dollars have also been invested in apecoin boosts. No matter how big you are, you have to humble yourself, admit mistakes and hold yourself accountable (individuals or companies alike). (41/43)
Any auditor would have seen the flaws involved in the game files and would have made a recommendation for changes based on the stakes involved (the top prize probably being worth $1,000,000+, as well as the value of a mint correlating directly to higher scores). (42/43)
With all this being said, crypto and nft gaming is in its early stages and I am glad to see Yuga taking such big steps. I hope that it will have its future games (Otherside!) audited extensively (our DMs will be open for crypto/nft game auditing/penetration testing). (43/43)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
