Moralis Unity SDK database security

SYouth · December 28, 2022, 3:16am

This is my first time writing on the Moralis Forum. I would firstly want to state that I admire the Moralis team’s passion to make things easier for every web3 developer out there. Your work is just unbelievable!

I have a question regarding the Moralis Unity SDK and how secure the database can actually be.

Let’s assume that we have created a Play-To-Earn game where users can accumulate points through our game which are stored as off-chain data in our Moralis Database in real time and then the user can claim the points for actual blockchain tokens or NFTs relative to how many coins they have managed to accumulate in the Database.

My question is: Since we have provided in our unity game our Moralis Database URL + ID and this is all it takes in order to update the database for the user that plays the game (add coins), if a hacker manages to decompile the unity code and somehow finds out both the Database’s URL and ID, won’t he be able to somehow add off chain data (coins) for his own benefit in our Moralis Database?

cryptokid · July 6, 2022, 8:35am

You will have to add protections for that use case. Either with CLP/ACL or with a beforeSave hook or a combination of them.

SYouth · July 6, 2022, 8:47am

Thanks cryptokid for answering!
So, if I understand correctly, this way we add restrictions for other third parties and the updates can only be achieved throughout our unity game and nowhere else. A user won’t be able to change the data on his own neither if he builds another unity project providing the URL and ID of our server.

It seems that I have to dive deeper into the restriction and protection features of the database in order to get a better grasp.

cryptokid · July 6, 2022, 8:58am

if something is updatable from the game, the user can change it any time, you have to consider that case and either make some changes from the server or validate any change on server somehow

SYouth · July 6, 2022, 9:34am

So the way is to use BeforeSave hook in order to validate in some extent what and by how much the user tries to change a variable. Since the coin system will be updatable from the game CLP and ACL can’t help at all. If you add CLP and ACL non-write restrictions the users won’t be able to update the coin variable neither by actually playing the game.

cryptokid · July 6, 2022, 9:39am

you will need a way to validate server side or to set the values server side so that the user can not set any random values that he wants to set

SYouth · July 6, 2022, 9:50am

Ok got it. Thanks cryptokid for the info and sorry if my questions were kinda silly. I am really new into these stuff.