How I Beat CryptoKitties by Rob Durst

The Beginning

I was one of the lucky people who came across a Twitch livestream a few days before CryptoKitties experienced exponential growth:

And just as the game took off and ETH flowed in like crazy, I bred a shipcat, a Fancy cat for those less experienced CryptoKitties breeders. At the time, this was the 120th shipcat bred and one of only 35 on the market. It looked a bit like this:

Well, this cat ended up selling for 0.83 ETH and within a few days I had made over $1000 on a $50 investment.

2 is Better Than 1

That weekend I came home -- I live in SF and my parents live an hour away. After telling my dad about the craziness of CryptoKitties, I went to the grocery store with my mom to pick up a couple things. We come back less than an hour later and my dad had installed MetaMask, setup a Coinbase account, and purchased his first CryptoKitty (before this, cryptocurrency was just funny money and CryptoKitties "one of the most ridiculous things he had ever heard of").

Yep... Cryptokitties was my father's introduction to cryptocurrency.

One Month Later

As apparent from the graph above, the Cryptokitties craze did not last very long. Most people, like myself, made a little bit of ETH and cashed out. However, my father still had a few cats left and with the market looking bearish, he was looking for new ways to sell his cats -- from the subreddit to the discord channel to Steemit.

Coming home one weekend, I decided to help my dad sell his remaining cats. After a few hours of brainstorming and hacking around, we came up with a plan.

Hacking CryptoKitties (well, sort of)

Since I had quit Cryptokitties, a few new features had been released. One particular feature, likes, was a little shaky in it implementation -- it was exploited only days after its creation.

However, the average Cryptokitties user is not very tech saavy, so most of the like exploits were simply people creating multiple accounts on MetaMask and liking up their own cat. While this is effective for maybe 10-100 likes, it gets very time consuming when done in large quantities.

Having had some experience with web3.js I sought to repeat this liking process, but with code. Here is the end result (this is a cat with an absurd number of likes):

The Code

Here is a walkthrough of the "hack":

1. Generate a public/private keypair.
2. Digitally sign the word "Cryptokitties" and send this signature along with your public key to the CryptoKitties API.
3. Receive back a login token.
4. Use this login token to like a cat.
5. Repeat as many times as you like.

This is what it looks like in action:

const  web3  =  require("web3")
const  Web3  =  new  web3('ws://localhost:8546');
const  axios  =  require("axios");

async  function  hackTheCats(address, signature, origin, catid) {
    try {
        const  response  =  await  axios({
            method:  "post",
            url:  "https://api.cryptokitties.co/sign",
            data: {
                sign:  signature.signature,
                address:  address.toLowerCase()     
            },
            headers: {
                "Content-Type":  "application/json;charset=UTF-8",
                Referer:  "https://www.cryptokitties.co/sign-in",
            }
        })
    
        const  response2  =  await  axios({
            method:  "post",
            url:  "https://api.cryptokitties.co/kitties/"+catid+"/purr",
            headers: {
                Authorization:  response.data.token,
            }
        })
    
        console.log(response2.data.purred);
    
    } catch(err) {
        console.log(err);
    }
}

function  loopTheHack(n, catid) {
    for (var  i  =  0; i  <  n; i  ++) {
        const  account  =  Web3.eth.accounts.create();
        const  address  =  account.address;
        const  signature  =  account.sign("Cryptokitties");
        hackTheCats(address, signature, i, catid);
    }
}

Success!

One major drawback of games like CryptoKitties is the search-ability of your digital assets -- how easy is it for others to find the asset you are trying to sell. Lucky for me, likes was one of the filters provided in the CryptoKitties marketplace, so since I was the only one programmatically liking cats, I was easily able to dominate the marketplace. My strategy?

1. Like a cat until it is the most liked cat on the market
2. Sell
3. Repeat

Here are the two accounts I was using:

• 0x97b2f877098B9ff46B86650290B13f85881fC9E5
• 0x4Cfc6cdA90a0D338B99bFD35A4d75Fa97bFD17e4

You can see how much I made here: https://kittyrush.herokuapp.com/

Here are some of the cats I sold:

And of course, with 240,000+ likes, the most liked cat in the game:

Can I Use this Hack?

No, (un)fortunately the CryptoKitties dev team has covered up this exploit, allowing only those with at least one cat to like other cats. This means, to replicate the above, you would need to pass a cat back and forth between accounts -- by the time you get to 20,000+ likes, the $$$ you spend on gas would be more than you could possibly make from the liked up cat.

Takeaways

With real money on the line, even the most ridiculous crypto games are target to hacks/exploits. However, I would argue that crypto games are even more open to such exploits because the average online crypto user is an easier target than a USD gamer:

1. Transactions are final (once the money is sent, it is gone)
2. The average joe still has no idea how cryptocurrency works and thus has a harder time differentiating between legitimate, semi-legitimate, and illegitimate crypto websites
3. Due to the volatility of crypto prices and due to the fact prices on these Ethereum games are displayed in ETH, people sometimes forget how much money they are actually spending

So if you decide to engage in any of the wonderful crypto games out there, watch out! It truly is the wild west out there.

This article was written by a friend of mine original article is here https://medium.com/@robdurst/how-i-beat-cryptokitties-f9aa71c03c87

FOLLOW UPVOTE RESTEEM Thx!