Exploiting Online Games

At RSA last week, there was an interesting panel on hacking games(woot!)  https://news.cnet.com/8301-10797_3-10226485-235.html 

Back in the days of playing Asheron's Call in high school, bots and certain hacks existed to bypass the set rules that the designer tried to put in place.  These were normally done by professional programmers with some spare time at night.  However, a billion dollars a year now exchange hands in online gaming communities.  With this kind of money, I can see some really efficient medium sized corporations spring up to do what amatuer game hackers use to do in the 90s.  I do know about the small shops(normally 1-10 people) that made glider bot and contracted Chinese players.  But what I am imagining soon is the existence of 100+ employee companies that have wow division, everquest division, eve online division, etc.  I can see a whole new industry behind this.

What differentiate online games from normal client/server application is the ratio of the number of attack surfaces in games versus the size of the game.  A game developed by a 30 people team can have as many attack surface as an application pair like exchange/outlook, which I imagine has thousands of people behind.  Attack surface is basically any place where an input is accepted.  Ie if in the game a virtual vendor, or an NPC, can accept items and give players money back.  That interaction there is an attack surface.  What would happen if you give the vendor 2^32-1 sticks?