I already posted this on Leofinance, but want to check out other platforms :)
In December last year I started playing Alien Worlds. The only thing you could do in the game was mining and staking:
- In the mining game you have to click a button, the game does a little bit of proof of work, and then you can claim the mining rewards: A small amount of TLM, the token of the game, and with a given probability a newly minted NFT. After a specific waiting time, the button can be pressed again.
- TLM could be staked to planets in Alien Worlds which had no effect back in 2020.
As I'm a software developer I immediately thought about writing a program which just sends the HTTP-Requests needed for mining. When I looked deeper into the WAX blockchain and the Alien Worlds tech blueprint I realized that I could just push corresponding transactons to the blockchain. So far so easy.
Starting problems
What I didn't know at that time was that there is some proof of work needed and the amount of PoW is much bigger for accounts your holding the private keys for (256 times as much as far as I remember). The game is intended to be played with WAX Cloud Wallet, a service which offers custodial wallets and supports social media login. But to be able to reliably push transactions to the blockchain without days or weeks of effort I needed to use accounts I created myself. I wasn't that confident anymore, but decided to try it anyway because why not, I'm sitting at home due to corona and got enough time.
Alien Worlds is written in JavaScript and their PoW implementation generates a random number, checks if that number is a correct solution and if not a new random number is generated - thousands and thousands of times. To improve the performance I used Rust as a compiled language and only generated a random number once and then just increased the number by 1 until I got a PoW solution. This way I managed to do the calculations for one mining attemt within 10 seconds, often in less than one second. That was much faster than a WAX Cloud Wallet account in the browser game! Additionally I was able to mine for multiple accounts at the same time - one on every CPU thread.
So I manually created a bunch of accounts (which was a bit of work, as I had to create them manually, register them in the AW smart contracts, send and equip tools etc.) and let them mine. They generated a few bucks a day which was a first success - but I spend more than a weekend working on it, so the per hour payoff wasn't that great. But I also learned a new programming language so I was pretty happy with the result.
Whaat - they don't like what I'm doing?!
After a few weeks the accounts I painfully created by hand were blacklisted and received way less TLM and NFTs. I didn't find out how that was implemented on smart contract level, but it seemed to be a pretty manual task (they ran scripts to detect bots, I assume the account names were then pushed somewhere on chain).
So I improved my program to be able to create new accounts. I already had loads of abundant NFTs I could use as tools, so I told my program to create far more accounts. To prevent them from beeing banned I implemented a 'sleep time' for accounts: every account was only mining 8 hours a day. I created about 200 of those accounts and let them mine 24/7 so at every time there were about 60 active accounts. That went well for a while and I started making > 10 bucks a day. I also got my first Legendary and Mythical NFTS which I sold for 100 and 500 bucks. Not bad for a mostly passive income! If that would go on forever...
Of course it didn't.
Bots against developers
The accounts got banned again - more frequently this time. So I improved my program once again and implemented a way to automatially disable blacklisted accounts and create new ones. The time between account creations was a qubic function taking the number of active accounts - the more accounts were banned the faster new ones were created. Also I got rid of that 'sleep time' and just left my program running.
Blacklisting accounts still seemed to be a quite manual process and sometimes there were a few days where no account was spotted. My program escalated a bit and I ended up with 300 active accounts. Depending on the time interval I grabbed 2-6% of the total amount of TLM distributed every day by pushing a transaction every ~10 seconds. I easily got 30$ a day, sometimes even 100$ a day. Now the project was definetely worth the time - also financially. Additionally I automatically staked all my abundant NFTs to Rplanet (>30k NFTs in the end, thats a lot!) and got another few bucks a day through selling the received AETHER.
Current state
In the beginning of march the Alien World developers decided to get serious in fighting bots. They seem to 'blacklist' all non WAX Cloud Wallet accounts and reduced the amount of TLM even more. Creating new accounts probably isn't worth it anymore because you have to pay for RAM for creating the accounts - although you can sell the abundant avatar you receive (thanks to rplanet people are paying for abundants.). Non wam accounts don't seem to get a shovel anymore.
To keep making money through Alien Worlds the next steps would be speaking to the WAX Cloud Wallet APIs to push transactions for those accounts. I think that could work another while (e.g. by acting more like a real person instead of mining 24/7), but that would be a lot of effort and I don't want to invest that much time.
Sadly I exchanged most of my WAX to Bitcoin before the WAX price went up, but I don't want to complain - I made about 8000 $ in a bit more than 2 months - which isn't a bad salary.
Why this was possible
In the crypto space it's just normal to release unfinished products. Most projects even have an ICO with no product available. I think the creators of Alien Worlds did plan to implement some anti-bot measures, but they weren't ready when the game released. So this was only possible because I discovered a game with simple, fakeable on-chain functions which is still unfinished and in development.
The mining game (beeing able to press a button for free money) was basically everything Alien Worlds offered at the beginning of the year. That screamed for automation - and I don't have a guilty conscience for doing it because I didn't took anything from other players directly. I forced the developers to do something against bots and now the game is more production ready. To be honest I was wondering that nobody else did it in a large scale - free money attracts lots of people and the world is huge.
I hope you found it interesting to read about how a crypto game can be exploited. Of course Alien World players won't like what I did and friends made jokes that a white van without windows will come and take me, but that's how blockchains work - anyone can do anything what the code allows and that had to happen unless more serious measures were taken.
You had better skills and you could exploit a game with your bots and multi accounts. As you said it wasn't hard for you. You made $8000 but this money was marketing money to be given probably to a hundred or a thousand more players. This money that reached just you could have reached hundreds and create a large community for this platform.
I'm sorry but abusing a system is not ethical. I won't tell you what is wrong and what is right. I have skills too and honestly I never even thought of using them to cheat. What you did was wrong, but you know this already. If I were you, I would make a donation of all the money left back to the company, and explain what you did, to help them.
I mean you are a developer too, maybe their effort sucks, maybe it will be a disaster. Don't you see there are hopes and dreams for these devs too and you can't judge them for an unfinished product. Would you like it if every effort you made was instantly meeting difficulties from cheaters trying to exploit it? Do you think that you can do better than them? Why don't you try then?