The gold exploit of Diablo III

April, 2021 · 5 min read

On May 7, 2013, the developers behind a multiplayer online game released an update. Like the dozen updates leading up to this one, it was supposed to be business as usual.

Hours later, the game’s economy was in shambles. Due to an integer overflow, cheaters were generating billions of gold, while opportunists cashed in on the surging prices.

What was the chain of events leading up to this exploit? How did it work, and what was the aftermath?

A turbulent start

In 2008, Blizzard Entertainment, a revered developer with iconic games under their belt, announced they were working on Diablo III. In this game, you fight monsters, becoming more powerful as you level up. The anticipation was sky-high.

Engaging monsters as a Barbarian, one of the character classes in Diablo III.
Engaging monsters as a Barbarian, one of the character classes in Diablo III.

Four years later, in 2012, the game released to record-breaking sales. The launch itself, however, was disastrous. Blizzard had controversially designed the game to require an online connection. As the login servers overloaded, millions of players experienced difficulties playing the game.

Real-Money Auction House

While anti-piracy and anti-cheat were among the main incentives for making the game online-only, another driver was the Real-Money Auction House (RMAH).

Diablo allows you to trade with other players. Thus there’s a demand for buying virtual items and in-game currency for real money. Its predecessor lacked support for such transactions, leaving you to third-party websites and chat rooms. All exchanges involved considerable risk, as someone had to keep their side of the bargain first.

To solve that challenge, Blizzard launched the RMAH, brokering trades involving real money. It was a significant revenue stream for them, charging up to 15% in transaction fees and another 15% on withdrawing your funds.

An early version of the Real-Money Auction House.
An early version of the Real-Money Auction House.

Caused by inflation, exacerbating inflation

The RMAH enforced limits. You couldn’t sell an item for more than $250, and there was a $0.25 price floor. You traded gold in stacks of 100,000, where each stack was subject to the price floor. The total couldn’t go above $250. Due to these constraints, you could put up at most 100 million gold in one listing.

In an online game, its currency tends to devalue as time goes on. Monsters drop gold in Diablo when you kill them, akin to printing $100 bills en masse. If the same game lacks enticing ways for players to spend money in a way that removes it from circulation, inflation will occur. Making matters worse, a viable business at that time was to run bots — software that can automatically play the game — all day long to farm gold.

The value of gold plummetted, falling well below the artificial price floor. Players now had to return to the black market. In response, a mere month after the release of the RMAH, Blizzard increased the size of each stack tenfold.

Gold continued to devalue. After eight months, Blizzard rolled out yet another update. You could now sell as much as 10 million gold for $0.25, meaning a single listing for $250 could contain as much as 10 billion gold.

After launch, one player listed 6 billion gold for sale. The auction showed up as 1.7. Looking at their inventory in horror, they breathed a sigh of relief as, indeed, the game had only removed 1.7 billion. After canceling the auction, they found themselves in yet another emotional state: the game returned 6 billion — 4.3 billion had appeared out of thin air!

Integer overflow

What happened?

Games where performance is critical, like Diablo III, are written in C++. When storing a number in a variable, you specify the number of bits you need and whether it’s signed.

An 8-bit integer can represent a value from 0 to 255 if it’s unsigned. If the value ends up outside the range, it will wrap and start from 0 again. For a signed 8-bit integer, you can store values between -128 to 127. Adding 1 to 127 will make the value flip to -128 (generally), and subtracting 1 from -128 (or adding 129 to 127) will cause the value to start from 0 again.

When 6 billion gold was listed for sale, Diablo III likely stored the amount to deduct as a 32-bit signed integer. We can also infer that the code handling cancelations worked differently, as the game returned the correct amount. A plausible explanation is that it added back your gold stack by stack, therefore unaffected by any integer overflows.

#include <iostream>

using namespace std;

const int32_t GOLD_PER_STACK = 10000000;
int32_t numberOfStacks = 600;

int64_t goldInInventory = 10000000000;

main()
{
    cout << goldInInventory << "\n";
    
    goldInInventory -= numberOfStacks * GOLD_PER_STACK;
    
    cout << goldInInventory << "\n";
    
    for (int i = 0; i < numberOfStacks; i++) {
      goldInInventory += GOLD_PER_STACK;
    }
    
    cout << goldInInventory;
}

/*
    10000000000 (Initial gold)
     8294967296 (After listing)
    14294967296 (After cancelation)
*/
How the code causing the integer overflow might’ve looked like in C++.

If the game indeed had used a signed integer, you could’ve started generating gold as soon as you had 2147483648 on hand, amusingly getting gold both for creating and canceling the auction.

Aftermath

Billions flowed into the game as the cheaters snatched up anything of value. Dedicated players who had saved up in the hopes of upgrading their equipment found that all their gold was now worthless.

Later that day, Blizzard suspended the RMAH. Identifying the source of all this money was trivial, but how do you deal with the fallout? Do you reset everyone’s progress, causing massive collateral damage? Or do you painstakingly audit all the transactions? The dirty gold was now everywhere, laundered, and in the process of being converted to and paid out as real money.

Blizzard chose the latter option. Fortunately, the update dropped on a Tuesday and was limited to only one of Blizzard’s three regions. Over the coming days, they suspended accounts, issued bans, and made refunds. They also capped the maximum amount of gold in a single listing at 2 billion as the RMAH resumed operations.

On March 18, 2014, less than two years after its opening, they removed the RMAH from the game. By then, the stack size had grown from 100,000 to 50,000,000.

Thoughts

One could argue that a straightforward exploit like this shouldn’t have slipped into production. The mere possibility of it, however, is understandable. As Blizzard was developing the RMAH, no one imagined handling the values it eventually did (the stack size was once 1000, seen in beta screenshots). While Blizzard does conduct public tests, where players likely would’ve found this particular issue, the RMAH was never a part of their Public Test Realm.

References

The following pages report on and discuss the exploit, botting and inflation, as well as the aftermath: