
Like Web3's "psoriasis" going viral, examining the recently trending xPet project from a security perspective
TechFlow Selected TechFlow Selected

Like Web3's "psoriasis" going viral, examining the recently trending xPet project from a security perspective
A Deep Dive into the Security Risks of the xPet Project
Author: Beosin
Recently, a blockchain game called xPet has rapidly gained popularity on Twitter, with some describing the project as spreading like Web3 "psoriasis" in a viral manner. The number of followers and users has shown rapid growth. xPet is an early-stage project combining gaming and social features, attracting significant user attention within just two weeks of launch. Benefiting from the recovery of the GameFi sector and xPet's mechanism design, xPet currently holds 2,785 ETH (approximately $6.58 million), making it a highly watched project recently.
At the same time, associated security issues cannot be ignored. To help users understand potential risks, today the Beosin security team will conduct a detailed analysis of xPet’s design mechanisms and contract code, revealing existing security vulnerabilities.
xPet Mechanism Analysis
xPet is a pet-themed game built on Arbitrum, combining gameplay elements from Tipcoin and Fren Pet—a previously popular Base chain phenomenon—allowing players to level up and earn rewards by feeding their pets. What differentiates xPet from similar prior projects is that it was launched as a browser extension, requiring Twitter account binding for login, with subsequent in-game reward tasks fully tied to Twitter activities.

Official website: https://www.xpet.tech/
The current gameplay primarily involves feeding pets, upgrading factories, and completing Twitter tasks to obtain treasure boxes. To participate in xPet, users must first upgrade their pets, since only level 7 or higher pets can produce $Berry. $Berry can then be converted into $BPET at the factory for profit. Upgrading pets requires one of two native tokens: $XPET or $BPET. At the start of the game, users need to deposit ETH as collateral to borrow $XPET (which can be converted 1:1 with $BPET) or purchase $XPET from the XPET-ETH liquidity pool. The design of its game economy system is illustrated below:

source: Beosin
xPet Contract Analysis
xPet's main contract is an ERC1967 upgradable proxy contract.
Its proxy contract address is
0x1B0D12879960A768D02bd223ef735D4231a15348,
and its logic contract address is
0xcD4420B70e2669De8dE9d62dd7fEa4D19b320768.
The $XPET token contract address is
0x00cbcf7b3d37844e44b888bc747bdd75fcf4e555
The $BPET token contract address is
0x6daf586b7370b14163171544fca24abcc0862ac5
In this assessment, using Beosin VaaS tool scanning combined with analysis by Beosin security audit experts, we identified the following potential security risks in xPet-related contracts:

Beosin VaaS
xPet Main Contract
The xPet main contract handles the lending logic between ETH and $XPET. However, the main contract is upgradable, and the project team has not open-sourced the logic contract, making it impossible to verify whether there are logical errors or potential risks in the implementation.

Regarding upgradable contract security, Beosin recommends:
1. Initialize Contracts and Dependencies
Developers may forget to initialize contracts and dependencies during deployment, leading to critical vulnerabilities.
2. Watch for Storage Collisions
Modifying storage during contract upgrades may cause storage collisions across versions, where different variables point to the same storage slot, resulting in data corruption and fund loss.
3. Manage Permissions Carefully
Developers should strictly limit upgrade permissions to prevent attackers from gaining control over contract updates.
$XPET Token Contract
The $XPET token contract inherits from ERC20 and AccessControl, presenting the following potential risks:
1. Centralization Risk
The contract assigns administrative roles to the deployer, creating a central point of control. If the deployer's account is compromised, this poses significant risk.
2. Token Accessibility
Since the contract mints all tokens to itself, calling the withdraw and convert functions becomes the only way to distribute tokens, which centralizes token circulation.

3. Missing Events for withdraw and convert Functions
It is recommended to emit events when these functions are called, enabling external monitoring and traceability.
$BPET Token Contract
Similar to the $XPET token contract, single points of failure are non-trivial:
1. Centralization Risk
This token contract sets the deployer as both administrator and minter, concentrating power in a single entity. If the deployer's address is compromised, it could lead to severe security consequences.

2. Unlimited Minting
The convert function imposes no limits on the amount of tokens that can be minted. If the deployer decides to mint excessive amounts and sell them for profit, it could cause a sharp drop in token price.

EagleEye Alert on BPET Minting Risk
3. Role Management
The contract does not implement functionality to revoke or transfer roles. If ownership needs to be transferred or the minter needs to be removed for any reason, this could become a latent security issue.
Other Risks
In addition to smart contract risks, because xPet requires users to post comments containing the word "xPet" on Twitter to receive in-game rewards, a large number of irrelevant replies containing "xpet" have already flooded Twitter, provoking dissatisfaction among many Twitter content creators.
Twitter’s Developer Agreement prohibits the use of Twitter developer products to generate spam. If xPet gets banned by Twitter, its current gameplay would come to a complete halt.

Twitter Developer Policy:
https://developer.twitter.com/en/developer-terms/policy
Summary
The xPet project has not open-sourced its core logic contract, exhibits obvious centralization risks in both token contracts, and lacks special permission restrictions on new token minting. Users should be aware of these risks. Some contract code can be further improved for enhanced security. Previous market cycles have seen repeated waves of enthusiasm around GameFi and SocialFi; users should practice proper fund management and due diligence, participating rationally only after fully understanding the project's risks.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News













