Security Testing

Gods Unchained

Client:Immutable

Cyrex partnered with Immutable to deliver white box penetration testing and load testing for Gods Unchained, securing its Ethereum L2-powered ecosystem, gameplay systems, and live services while validating scalability under high concurrency.

The Challenge

Securing Digital Ownership in an Ethereum L2 Trading Card Game

Gods Unchained is a competitive trading card game built on Ethereum Layer 2, enabling players to fully own, mint, trade, and manage their in-game assets. Unlike traditional free-to-play titles, digital ownership is central to the player experience.

That ownership model introduces additional security complexity.

Immutable required validation across:

Blockchain-integrated item minting and trading flows
Backend live services and API endpoints
Multiplayer gameplay communications
Web-based platform components
Game launcher (Electron) and Unity client
Registration, authentication, and voucher systems

When digital assets carry real ownership value, vulnerabilities in API logic, minting flows, or client trust boundaries can impact both gameplay fairness and asset integrity.

Immutable engaged Cyrex to fortify both the security posture and scalability of the ecosystem.

The Cyrex Solution

White Box Penetration Testing Across Platform & Gameplay Systems

Cyrex conducted comprehensive white box penetration testing, reviewing internal implementations to assess logic, validation layers, and integration points in depth.

This allowed our engineers to analyze both traditional backend services and blockchain-connected gameplay flows.

Backend & API Security

Our assessment included detailed review of:

Live services infrastructure
API endpoint security
Data handling and validation mechanisms

We evaluated how sensitive gameplay and asset-related interactions were processed server-side to prevent tampering or improper access.

Multiplayer & Gameplay Validation

In a competitive multiplayer card game, communication integrity is critical.

We assessed:

Multiplayer “Mirror Message” communication flows
Core gameplay logic validation
Registration and authentication processes
Tutorial completion logic
Dungeon campaign flows (including successful, failed, retry, and consecutive runs)
Hero summoning and merging
Squad editing and management
Voucher conversion mechanisms
Item purchase and minting flows

Each system was evaluated for exploit potential, improper validation, or logic weaknesses that could impact progression or asset ownership.

Client & Platform Security

Cyrex also reviewed:

Web-based platform components
Electron launcher security
Unity client implementations

We assessed client-to-server trust boundaries and examined potential manipulation vectors within the launcher and game client.

Load Testing for Scalability

In addition to penetration testing, Cyrex conducted load testing across multiple iterations, simulating tens of thousands of concurrent users.

This validation focused on:

Backend service stability under concurrency
API performance under sustained demand
Gameplay session resilience during peak activity

The objective was to confirm that security hardening did not compromise scalability and that infrastructure could support growing player demand.

The Outcome

Secured Digital Asset Flows & Validated Scalability

Identification and remediation of vulnerabilities across blockchain-integrated gameplay flows
Reinforced API and backend service validation
Hardened client and launcher implementations
Confirmed scalability under high concurrency conditions

Client Feedback

Immutable

“It was a pleasure working with Cyrex to secure and scale the game. Cyrex earned and retained our trust through their domain expertise and high quality deliverables which were on time and on quality.”

Immutable

Start Your Security Assessment