Technology

Security

2min

Security is of critical importantance for both traditional video games and the emerging crypto games space. As projects become larger they become increasingly desireable targets for bad actors. Larger projects are more complex, have more 'attack surfaces' and more potential vulnerabilities.

We are developing our security in stages. Early efforts have begun and will continue to be an ongoing focus. We will make the highest efforts to ensure data integrity and privacy protections for both the development environment, our partners and our players.

Current Efforts

  • Client/Server Communications uses https/wss secure connections.  Asylum Lab Inc. has valid SSL certs.
  • Plaintext passwords are never sent over the wire.  Passwords are sha256 encrypted and salted.
  • Communication between game client app and server uses tokens so that even if the game client is compromised, at worst only the game’s credentials are stolen but the user’s password is not exposed.  Users often use the same user name/password for multiple apps, so it’s important to expose a user’s password as little as possible.  Passwords are not stored in the client app.  Only the token is.
  • Passwords are never stored in database as plaintext.  Server stores sha256 encrypted and salted passwords.
  • Users are anonymized on database servers to protect privacy.
  • Servers are deployed in the cloud, in private VPNs that protect internal traffic from being spied on.  Database servers are not exposed directly to the outside world except through game server/REST API endpoints.
  • All servers use public/private key SSH rather than user name/passwords for SSH access to prevent unauthorized access.
  • All SQL queries that take user input as a parameter uses Prepared Statements to prevent injection attacks.
  • We are on Immutable X which has a custodial wallet component (IMX wallet) and a non-custodial wallet component (Metamask, etc).  Asylum Labs itself does not create or use any other wallets that could be compromised in an attack.  NFTs and tokens are secured by blockchain technology.
  • Game assets are stored on Amazon S3/Cloudfront for fast reliable access and minimal downtimes as guaranteed by Amazon.  NOTE: As we scale, we may also use Microsoft Azure if appropriate for performance reasons (ie. Asia).  In either case, game assets are highly available and deployed to edge locations for performance and redundancy.



Future Efforts

  • We will hire a CIO to manage our security, privacy and compliance teams.
  • We plan to use one of the popular systems to protect against DDOS attacks; Currently evaluating a few systems like: www.cloudflare and www.lumen.com 
  • MySQL databases will have master/replication setup for redundancy with daily backups to the cloud, retained for 30 days and also a monthly snapshot.
  • For anti-gold farming and 'anti bot' protection, our system has a variety of solutions to combat this unhealthy practice. We recognize these 'bot farms' can kill a game and will have multiple 'layers' of protection against these nefarious actors. Game servers will have bot/cheat detection to deter cheating/bot mining of play-&-earn currencies.  Specific implementation details TBD.
  • anti-cartel economy design - coming soon
  • We have experience w/ GDPR from previous projects and are currently in 'partial' compliance. This is an ongoing effort and we will work with external partners (TBD) to manage our global compliance requirements.
  • For general smart contract audits (re-occuring annually) we will be partnering with someone like https://cyrextech.net/ or https://audit.verichains.io/ . These certifications will provide the backbone of our web3 strategy for continous improvement and protection.



Updated 24 Apr 2023
Doc contributor
Did this page help you?
PREVIOUS
Polygon
NEXT
The Humans
Docs powered by Archbee