Secure minting of crypto game reward tokens

Let’s consider a scenario: there’s a blockchain game with a battle system. The user is rewarded for winning by getting a certain amount of ERC-20 tokens. That means that the mint method in the smart contract has to be open to the public and not limited to the owner. How would you ensure, that someone won’t call this function from outside of the game? And even within the game, the user could just change the javascript to send different values.

The only idea I have about this is to move the entire battle processing from the cloud function to the smart contract but it doesn’t seem to be a good idea since there’s a lot of processing (but maybe I’m wrong and it’s not an issue) and that would make implementing changes in the battle system impossible.

Any ideas?

When someone wins a battle you keep track of that and you say that address x can withdraw y tokens. And then they can call a function named claim rewards later where they get the tokens transferred to their address and you decrease the amount of reward that they have to receive.

Where do you keep track of that? In the smart contract mapping or in the Moralis database?

You can do it in the smart contract mapping, but it will cost gas to do that for every fight.
I don’t know the exact requirements on how to do it in the Moralis database, if you do it in the database you’ll also have to offer a way transfer rewards on chain.

Is there a way to call a smart contract inside the cloud function to hide it from the users? And the user could just sign it on the frontend, but I don’t want to expose the ABI

It would be possible to do that in a cloud function, but it would mean that you’ll have to keep the private key in the cloud function, and it is not recommended to do that.

Do you think that using Chainlink and calling the cloud function inside the smart contract to check user’s balance (saved in the Moralis database) would be a good solution here?

I think that it could work as a solution, using Chainlink for this case in particular is the same as listening for events and sending transactions based on the events that you see on blockchain. Like someone calls a function when he wants to withdraw rewards and that function emits an event, and you check that event and you send a transaction that it will send to that user that reward async.

1 Like