Munchables, a nonfungible token (NFT) game running on the Ethereum layer-2 blockchain Blast, has fallen victim to a $62 million exploit.
The breach was announced by Munchables in a post on March 26 at 9:33 pm UTC, where they stated they were actively monitoring the exploiter’s actions and attempting to halt the transactions.
Blockchain analyst ZachXBT responded to the post by revealing the wallet address of the alleged attacker, which currently holds a balance of $62.45 million in ETH, according to Blastscan.
Exploiter address 17.4K ETH ($62.5M)
0x6e8836f050a315611208a5cd7e228701563d09c5
— ZachXBT (@zachxbt) March 26, 2024
Records show that the exploiter’s wallet interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, as per DeBank data.
Following the exploit, the attacker’s wallet transferred $10,700 worth of ETH through the Orbiter Bridge, converting Blast ETH back into native ETH. Subsequently, at 10:05 pm UTC, the wallet sent an additional 1 ETH to a new wallet address.
ZachXBT suggested that the exploit may have originated from the Munchables team hiring a developer from North Korea under the alias “Werewolves0943.”
In a post on March 27, Solidity developer 0xQuit alleged that the Munchables attack was premeditated, with one of the developers upgrading the Lock contract, intended to lock tokens for a specified period, shortly before launch.
According to 0xQuit, the scammer manipulated storage slots to assign themselves a massive Ether balance before updating the contract to one that appeared legitimate, allowing them to withdraw the balance once the Total Value Locked (TVL) was high enough.
the Munchables exploit has been planned since deploy.
Munchables is a dangerously upgradeable proxy, and it has been upgraded.
Instead of upgrading from a benign implementation to a malicious one, they did the reverse here
1/🧵
— quit.q00t.eth (👀,🦄) (@0xQuit) March 26, 2024
Munchables is a GameFi app on the Blast blockchain that revolves around NFT-based creatures. The protocol enables players to stake Blast ETH and Blast USD to earn Blast points and unlock additional in-game benefits.
Various users, including metaverse adviser Cygaar, have urged the Blast team to intervene by rolling back the chain to a state prior to the exploit.
Technically, the Blast team could recover the $62m lost in the Munchables exploit since they control the bridge contract that holds the bridged ETH/stETH.
It wouldn't set a good precedent for future exploits/issues, but it is possible.
An invalid state root would need to be…
— cygaar (@0xCygaar) March 26, 2024
While some argue against centralized intervention, Adam Cochran from Cinneamhain Ventures suggests that given Blast’s nature as a gaming and experimental platform, intervention might align with its brand ethos. Cochran emphasizes Blast’s focus on gamified social user experiences rather than strict decentralization.
Will be a weird take coming from me, but feels like Blast multisig should roll it back.
While I’m strongly against this action on any other chain, I don’t take Blast as a brand of “serious decentralization chain” but instead as a place for games, experiments, degenry, etc
Given… https://t.co/gCKadY4VJL
— Adam Cochran (adamscochran.eth) (@adamscochran) March 26, 2024
The incident has sparked debates within the community about the balance between intervention and decentralization, highlighting the challenges faced by platforms like Blast in maintaining user trust and security.