What Happened to Crypto Legions
Hello Crypto Legions Community,
Firstly I’d like to say sorry from the whole team for the events that occurred after the launch of our game. We take full responsibility for this and deeply regret that our investors, friends and even family members lost money due to the possibility to exploit our game after its launch. Since we did not sell any of our team tokens we are currently sitting at a huge loss from the Crypto Legions project, not only financially but also in terms of time and energy spent over the last 6 months. However, it’s very important for us that we do our best for our community and we really appreciate the supportive messages we’ve received from our community with many of you saying you still support us and asking us on Discord and Telegram to create a version 2 of our project with no exploit. From talking with advisors who have great experience in this space we’ve concluded that the best thing we can do for our community is to invest in more of our own money and keep working on our project, make sure it’s fully secure and has no security issues and then do amazing job with the launch of a v2 version which will enable our community to make their money back.
In this article we will let you know what the next steps are for our game and provide a full exploit report from our development team explaining how a user was able to exploit our game in order to constantly mint the highest level warriors and beasts NFTs, then use them to hunt the strongest monsters with 100% win chance certainty and then sell their rewards on the market.
PART 1: Full exploit report
The exploiter was able to predict the outcome of a mint and used this information to create a smart contract that mints the highest level NFT each mint. He then minted unlimited level 6 warriors and beasts, merged them into Legions and hunted the top monster for a $15,000 reward. He was also able to predict the outcome of the Hunt and therefore was able to win 100% of the time from the highest Monster 24, rather than 15% by using the same exploit.
The game contract code and its sibling contracts were all verified and deployed publicly to the blockchain.
Here is an excerpt of the Minting code for Warriors:
For those of you familiar with Solidity and programming in general, you can see the function responsible for generating the “dice roll”, so to speak, called genRand. This function uses the timestamp of the current block, together with the blocks mining difficulty, to generate a 256bit hash transformed into a number determining what kind of monster would be minted.
Using this information, the exploiter predicted the outcome of the roll at a certain block and submitted multiple mint transactions to the same block. Since all of these would have the same timestamp, the resulting roll is the same for all of them. This resulted in all of his mints becoming Level 6 Warriors (Dragons).
As you can see below, all of his mints were submitted to the same block.
You can find these mints and see for yourself here: Binance Transactions Information | BscScan
Continuing on, the exploiter used these to build Legions with 500,000 minimum Attack Power to hunt the highest level Monster with a reward of $15,000.
The hunt code was also publicly available for anyone on the blockchain to read and use the same way of generating a random number (roll) to determine if the hunt was a success or not.
Using the same prediction techniques, the exploiter was able to predict at what block to submit the Hunt-transaction to guarantee that it would be a success. Resulting in him winning tokens worth $15,000 and selling them on the open market.
Here is a transaction of him hunting the highest level monster (24) with a successful roll:
You can see this transaction for yourself here:
Binance Transaction Hash (Txhash) Details | BscScan
After the hunt, all he needed to do was claim the reward (211,000 BLST at that point)
and sell the legion:
Binance Transaction Hash (Txhash) Details | BscScan
The exploiter also wrote a smart contract / bot, interacting with our smart contracts, to do all of the above functions automatically, many multiple times.
What we can do differently in version 2 to ensure there will be no exploits:
Since the exploit occurred we’ve been in talks with many known, high level developers who have come up with suggestions to how we can make sure a v2 version will be fully secure for our players, these include but are not limited to:
- The use of upgradable proxy contracts
- Third party, off chain random number generation (Chain-link)
- Un-renounced contract with functions in place to halt the game, pause trading and so on.
PART 2: What's next and compensation
Because we are at a huge loss due to not selling our team tokens, and money has been taken out of the economy by traders who sold for profit and the user who exploited the game, we do not have any money to compensate our investors financially right now. When it comes to compensating our players and traders we have come up with the following plan, based on the suggestions made by our community in Discord and Telegram. We are going to be the example that we would like to see out there, in case such disastrous situation as this one happens.
We are going to invest more of our own money to make sure the Crypto Legions v2 launch is fully secure and will be a massive success, in about 6 to 8 weeks from now, as this is what our community has asked for, and we believe making it a huge success is the only solution to help our community to recover their losses. As players have been ‘stuck’ inside the game and unable to sell their investments when the announcement telling investors to sell was made we will have a slightly different plan compared to our plan to compensate traders.
If you are a player please fill in this form here:
https://cryptolegions.app/players
If you are a trader please fill in this form here:
https://cryptolegions.app/traders
If you have been a player and a trader, then you can complete both of the above forms.
For transparency we will also provide the bscscan link to our team and documentary wallet that held 2.5% of the token supply.
Original team and documentary wallet: 0x99f54475d85fff799cb25a09892d84ec48ded07b
From this wallet you will be able to see exactly where our team tokens were sent to and evidence that we never sold our tokens on the market, the plan was always to play the game with these tokens. We will attempt to use these tokens to give back some return to our players without benefitting the user who abused the exploit.
PART 3: Join our AMA
This report has been made within 36 hours after the exploit was discovered, and probably many of your questions remained unanswered. Please join our AMA on Monday 4 April at 5pm UTC time on our Telegram: http://cryptolegions.app/t
Once again we are truly sorry for what has happened, we will do our best to make it up to our investors and players.
