Security

Architecture Overview

Price Play uses a multi-layered security architecture designed to protect user funds and ensure fair gameplay.

Security Layers

Layer 1: Frontend Protection

Measure
Purpose

Input Sanitization

Prevents injection attacks

Rate Limiting

Prevents spam and abuse

TWAP Resolution

Prevents price manipulation

Layer 2: Backend Protection

Measure
Purpose

JWT Authentication

Verifies user identity

Row Level Security

Database access control

Atomic Transactions

Prevents race conditions

Layer 3: Blockchain Protection

Measure
Purpose

Signature Verification

Only authorized withdrawals

Nonce Tracking

Prevents replay attacks

Reentrancy Guards

Prevents reentrancy attacks

Layer 4: Key Management

Measure
Purpose

Turnkey MPC

Secure key storage

No Exposed Keys

Private keys never leave enclave

Turnkey Integration

Private keys for signing withdrawals are secured using Turnkey MPC (Multi-Party Computation).

What this means:

  • Private keys are generated inside a secure enclave

  • Keys cannot be exported — not even by us

  • All signing happens via API within the secure environment

  • No single person has access to the full key

This is the same technology used by major institutional custodians.

Anti-Exploit Measures

Front-Running Prevention

Bets are resolved using TWAP (Time-Weighted Average Price) — the average of the last 10 price updates.

This makes it impossible to:

  • Manipulate the final price with a single large trade

  • Front-run results by predicting exact closing price

Timing Attack Prevention

Bets placed within 500ms of phase end are rejected.

This prevents:

  • Last-second betting after seeing the direction

  • Exploiting network latency advantages

Multiplier Integrity

The server independently calculates multipliers and rejects any manipulated values from the client.

Double-Spend Prevention

A pending bet lock prevents the same bet from being submitted multiple times.

Balance Protection

All balance operations use database-level row locks (FOR UPDATE) to prevent race conditions.

Smart Contract Security

Checks-Effects-Interactions Pattern

State changes happen before external calls, preventing reentrancy attacks.

Nonce System

Each withdrawal requires a unique nonce. Once used, the nonce is marked and cannot be reused.

Signature Expiry

Withdrawal signatures expire after 15 minutes, limiting exposure window.

Chain ID Binding

Signatures include the chain ID, preventing them from being replayed on other networks.

Pausable

In case of emergency, the contract can be paused to stop all operations.

Best Practices for Users

  1. Verify contract address — Always check the official address before depositing

  2. Use hardware wallet — For large amounts, consider a hardware wallet

  3. Check transaction details — Review all transactions before signing

  4. Report issues — If you notice anything suspicious, contact us immediately

Responsible Disclosure

If you discover a security vulnerability:

  1. Do not exploit it

  2. Contact us via Twitter DM: @PricePlayonBSC

  3. Allow reasonable time for us to address the issue

  4. We may offer a bounty for valid reports

Audits

Component
Status

Smart Contract

Source verified on BscScan

Backend

Internal security review

Turnkey

SOC 2 compliant provider

PreviousSmart ContractsNextFAQ

Last updated