How I Beat CryptoKitties

In light of CryptoKitties’s $12 million funding round and in celebration of selling my last cat for 2 ETH, here is the story of how I beat CryptoKitties.

The Beginning

I was one of the lucky people who came across a Twitch livestream a few days before CryptoKitties experienced exponential growth:

And just as the game took off and ETH flowed in like crazy, I bred a shipcat, a Fancy cat for those less experienced CryptoKitties breeders. At the time, this was the 120th shipcat bred and one of only 35 on the market. It looked a bit like this:

Well, this cat ended up selling for 0.83 ETH and within a few days I had made over $1000 on a $50 investment.

2 is Better Than 1

That weekend I came home — I live in SF and my parents live an hour away. After telling my dad about the craziness of CryptoKitties, I went to the grocery store with my mom to pick up a couple things. We come back less than an hour later and my dad had installed MetaMask, setup a Coinbase account, and purchased his first CryptoKitty (before this, cryptocurrency was just funny money and CryptoKitties “one of the most ridiculous things he had ever heard of”).

Yep… Cryptokitties was my father’s introduction to cryptocurrency.

One Month Later

As apparent from the graph above, the Cryptokitties craze did not last very long. Most people, like myself, made some ETH and cashed out. However, my father still had a few cats left and with the market looking bearish, he was looking for new ways to sell his cats — from the subreddit to the discord channel to Steemit.

Coming home one weekend, I decided to help my dad sell his remaining cats. After a few hours of brainstorming and hacking around, we came up with a plan.

Hacking CryptoKitties (well, sort of)

Since I had quit Cryptokitties, a few new features had been released. One particular feature, likes, was a little shaky in it implementation — it was exploited only days after its creation.

However, the average Cryptokitties user is not very tech saavy, so most of the like exploits were simply people creating multiple accounts on MetaMask and liking up their own cat. While this is effective for maybe 10–100 likes, it gets very time consuming when done in large quantities.

Having had some experience with web3.js I sought to repeat this liking process, but with code. Here is the end result (this is a cat with an absurd number of likes):

The Code

Here is a walkthrough of the “hack”:

1. Generate a public/private keypair.
2. Digitally sign the word “Cryptokitties” and send this signature along with your public key to the CryptoKitties API.
3. Receive back a login token.
4. Use this login token to like a cat.
5. Repeat as many times as you like.

This is what it looks like in code:

const web3 = require(“web3”)
const Web3 = new web3(‘ws://localhost:8546’);
const axios = require(“axios”);
async function hackTheCats(address, signature, origin, catid) {
   try {
     const response = await axios({
     method: “post”,
     url: “https://api.cryptokitties.co/sign",
     data: {
       sign: signature.signature,
       address: address.toLowerCase() 
     },
     headers: {
       “Content-Type”: “application/json;charset=UTF-8”,
       Referer: “https://www.cryptokitties.co/sign-in",
     }
   })
 
   const response2 = await axios({
     method: “post”,
     url: “https://api.cryptokitties.co/kitties/"+catid+"/purr",
     headers: {
       Authorization: response.data.token,
     }
   })
 
   console.log(response2.data.purred);
 
 } catch(err) {
   console.log(err);
 }
}
function loopTheHack(n, catid) {
 for (var i = 0; i < n; i ++) {
   const account = Web3.eth.accounts.create();
   const address = account.address;
   const signature = account.sign(“Cryptokitties”);
   hackTheCats(address, signature, i, catid);
 }
}

Success!

One major drawback of games like CryptoKitties is the search-ability of your digital assets — how easy is it for others to find the asset you are trying to sell. Lucky for me, likes was one of the filters provided in the CryptoKitties marketplace. Since I was the only one programmatically liking cats, I was easily able to dominate the marketplace. My strategy?

1. Like a cat until it is the most liked cat on the market
2. Sell
3. Repeat

Here are the two accounts I was using:
* 0x97b2f877098B9ff46B86650290B13f85881fC9E5
* 0x4Cfc6cdA90a0D338B99bFD35A4d75Fa97bFD17e4

You can see how much I made here: https://kittyrush.herokuapp.com/

Here are some of the cats I sold:

And of course, with 240,000+ likes, the most liked cat in the game:

Can I Use this Hack?

No, (un)fortunately the CryptoKitties dev team has covered up this exploit, allowing only those with at least one cat to like other cats. This means, to replicate the above, you would need to pass a cat back and forth between accounts — by the time you get to 20,000+ likes, the $$$ you spend on gas would be more than you could possibly make from a liked up cat.

Takeaways

With real money on the line, even the most ridiculous crypto games are targets for hacks/exploits. However, I would argue that crypto games are even more vulnerable to such exploits because the average online crypto gamer is an easier target than a USD gamer:

1. Transactions are final (once the money is sent, it is gone)
2. The average joe still has no idea how cryptocurrency works and thus has a harder time differentiating between legitimate, semi-legitimate, and illegitimate crypto websites
3. Due to the volatility of crypto prices and due to the fact prices on these Ethereum games are displayed in ETH, people sometimes forget how much money they are actually spending

So if you decide to engage in a crypto game, watch out! It truly is the wild west out there.