Wayfinder

Wayfinder is an online action RPG released on PC and PlayStation, built around multiplayer gameplay, character progression, dungeons, and live service features. Players interact through party systems, quests, combat mechanics, and in-game purchases — all dependent on secure backend services.

For Airship Studios and Digital Extremes, launch readiness required validating the security of:

• Backend APIs and live services
• Multiplayer gameplay logic powered by Unreal Engine RPCs
• Authentication and registration systems
• Store purchases and microtransactions
• Character progression and battle pass mechanics

In multiplayer RPGs, vulnerabilities in RPC handling, server validation, or economy systems can impact fairness, progression, and player trust. The team required a white box penetration testing partner capable of reviewing internal implementations and validating gameplay integrity before release.

Cyrex conducted comprehensive white box penetration testing, analyzing Wayfinder’s architecture with internal visibility into services and gameplay logic.

This allowed our engineers to assess trust boundaries, validation mechanisms, and integration points in depth.

Our engagement focused on:

• Backend services and API endpoints
• Multiplayer gameplay interactions
• Unreal Engine Remote Procedure Calls (RPCs)
• Server-side validation logic

We evaluated whether gameplay actions were properly validated server-side and resistant to client-side tampering. Particular attention was paid to RPC flows to ensure that multiplayer interactions could not be manipulated to gain unfair advantages.

Cyrex extended testing across a broad range of systems critical to progression and player interaction, including:

• Questing systems
• Traveling, movement, and physics
• Authentication and registration
• Party systems
• Battle pass progression
• Character class and tier systems
• Store purchases and microtransactions
• Weapon, armor, and skill/ability systems
• NPC vendor and resource management logic
• Dungeon gameplay flows
• Item consumption and cosmetics

Each feature was assessed for improper trust assumptions, validation gaps, or logic vulnerabilities that could impact gameplay integrity.

Beyond vulnerability identification, Cyrex provided best-practice recommendations to strengthen server-side security controls and reinforce build integrity.

This ensured that remediation aligned with long-term architectural resilience rather than short-term patching.