Skip to the content.

On the 17th of November, ArenaNet - the developer of an MMO game Guild Wars 2 - changed their payment provider for in-game purchases. Whether the change was for the better or worse is to be discussed, yet, I wanted to buy some gems (premium currency) to spend on cool items in the store. Having tried my usual payment method that turned out broken, I started exploring the new UI.

New payment UI

One of the options hidden under “Other” is Paysafecard. In this method, a customer first purchases a pre-paid code with usual means like credit card, cash etc., and then - during checkout - is redirected to the Paysafecard website where the code can be entered. The funds are then deducted from a virtual account represented by the code.

The game makes it possible to finish this flow in a single window because it’s using an embedded browser to display this whole UI.

Paysafecard option

At some point when clicking through the Paysafecard interface, I noticed my account now had an extra 1600 gems. But I didn’t make any transaction?!

Digging deeper, after retracing my steps I realized backing out of the Paysafecard UI using the blue “X” button, without paying, resulted in the chosen amount of gems being added to my account. I now had 3200 gems.

I'm rich, you know

At first I thought it’s just a visual bug - the balance will surely reset back to normal after I reopen the trading UI or restart the game, right? Or so I was thinking, until the emails arrived.

Email purchase confirmation, but I didn't pay

(note the highlight revealing black text on black background)

At this point I was facing a pretty serious vulnerability where anyone could get endless amount of free premium currency, only limited by how fast they could click through the UI. Since the game also lets players convert premium currency to in-game gold, the impact this bug could have had if exploited by a malicious factor would have been insane.

In fact, a competing MMO from Amazon has been facing these issues recently, where gold duplicatoin exploits have destroyed the in-game economy and led many people to quit. So I did the responsible thing and went to report it.

ArenaNet can't be messaged

Getting ahold of a live human at ArenaNet has proven difficult. My first thought to try exploits@arena.net only led me to realize it has been disabled. I submitted a support ticket instead (as advised in the post) and, with a healthy dose of skepticism, waited.

Support ticket

About 30 minutes after my report, the payment UI went down briefly and then back up again. I didn’t try the exploit for obvious reasons. Two hours later I got a reply confirming that the issue has been fixed. The exact timestamp of the response below is 2021-11-19T22:36:38Z.

Ticket reply - issue fixed


How many players exactly have taken advantage of this bug? Only ArenaNet knows. The root cause? Not given, but I suspect a developer has left a debug condition in the code and it somehow managed to get into the live build. Like this:

if (paymentSuccess || true) handleAddGems();

What I do know is that ArenaNet let me keep half of the free gems, worth $20. So I guess I can put that towards my lifetime bug bounty stat. It’s now at… $20. Progress!

But hey, at least I got chicken won’t be getting banned for fraud, so that’s a plus?