Token Withdrawal Implementation in GameFi Mobile App
Token withdrawal is the most sensitive operation in GameFi. Player accumulated 500 GOLD tokens in game and wants to withdraw to external wallet. Behind this simple button: game balance verification, transaction signing, protection from cheat clients and bots, gas on mobile.
Why Withdrawal Breaks Most Often
Main risk — double spending. Player initiated withdrawal, transaction stuck in mempool due to low gas, player retried. Server balance already decreased on first request, but tokens never arrived. Or opposite — arrived twice, because idempotency unimplemented.
Solution: nonce system at app level. Each withdrawal request gets unique withdrawalId (UUID). Backend accepts withdrawal only once per withdrawalId. Status: pending → submitted → confirmed / failed. While status pending — retry with same ID returns current status, doesn't create new withdrawal.
// Android: withdrawal states via sealed class
sealed class WithdrawalState {
object Idle : WithdrawalState()
data class Pending(val withdrawalId: String) : WithdrawalState()
data class Submitted(val txHash: String) : WithdrawalState()
data class Confirmed(val txHash: String, val amount: BigDecimal) : WithdrawalState()
data class Failed(val reason: String) : WithdrawalState()
}
class WithdrawViewModel(private val repository: WithdrawRepository) : ViewModel() {
private val _state = MutableStateFlow<WithdrawalState>(WithdrawalState.Idle)
val state: StateFlow<WithdrawalState> = _state
fun initiateWithdraw(amount: BigDecimal, toAddress: String) {
viewModelScope.launch {
val withdrawalId = UUID.randomUUID().toString()
_state.emit(WithdrawalState.Pending(withdrawalId))
try {
val result = repository.createWithdrawal(withdrawalId, amount, toAddress)
_state.emit(WithdrawalState.Submitted(result.txHash))
pollConfirmation(result.txHash)
} catch (e: Exception) {
_state.emit(WithdrawalState.Failed(e.message ?: "Unknown error"))
}
}
}
}
Server-side Game Balance Verification
Mobile client never source of truth about balance. Balance stored on server, all game logic server-side. Withdrawal request contains amount, server verifies: enough tokens, no active cooldown (e.g., 24 hours between withdrawals), account not banned.
After successful verification — server either mints tokens to player wallet (if centralized mint) or signs withdrawal voucher that player presents to smart contract.
Withdrawal Voucher Pattern
// Player presents server-signed voucher
contract GameTokenBridge {
address public signer; // backend server
function withdraw(
uint256 amount,
uint256 nonce,
bytes memory signature
) external {
bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount, nonce));
bytes32 ethHash = hash.toEthSignedMessageHash();
require(ethHash.recover(signature) == signer, "Invalid signature");
require(!usedNonces[nonce], "Nonce already used");
usedNonces[nonce] = true;
_mint(msg.sender, amount);
}
}
Server signs voucher with private key (signer). Contract checks signature. Means: without server signature nobody can withdraw tokens — protection from smart contract exploits.
Wallet and Transaction Signing on Mobile
For GameFi with mass audience — Account Abstraction (ERC-4337). Player doesn't manage seed phrase; app creates smart account via Biconomy SDK or ZeroDev. Transaction signing — via Face ID / Touch ID, not seed phrase. Gas sponsored by Paymaster.
For advanced users — external wallet support via WalletConnect v2: Deep Link opens MetaMask/Trust Wallet, user confirms transaction there.
Fees and Gas
Show user:
- How many tokens received (amount - fee)
- Current gas cost in USD
- Expected confirmation time
Minimum withdrawal threshold — mandatory parameter. Withdrawing 0.01 GOLD at $0.50 gas pointless. Show warning if fee > 10% of withdrawal amount.
Bot Protection
Cooldown between withdrawals, daily/weekly amount limits, check account for suspicious activity (too many tokens in short time — cheat sign). Device fingerprinting via DeviceCheck (iOS) or Play Integrity API (Android) — verify request from real device, not emulator/script.
Timeline
2–3 weeks for withdrawal with voucher pattern, idempotency and UI. With Account Abstraction and Paymaster — plus one week. Cost calculated individually after requirements analysis.