Crypto game ‘Munchables’ on Blast exploited for $63M

A nonfungible token (NFT) game called Munchables, built on Ethereum layer-2 blockchain Blast, has suffered a $62 million exploit. 

Munchables announced it had been compromised in a March 26 X post at 9:33 pm UTC and said it was tracking the exploiter’s movements and “attempting to stop the transactions.”

Source: ZachXBT

Blockchain analyst ZachXBT responded to the post with the wallet address of the alleged attacker, which currently touts a balance of $62.45 million in Ether (ETH), per Blastscan data

The wallet address of the exploiter shows that it interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, per DeBank data

The exploiter address with over 17,400 ETH incoming from Munchables. Source: DeBank

The exploiter’s wallet address then transferred $10,700 worth of ETH through the Orbiter Bridge, transferring the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a fresh wallet address

ZachXBT claimed the exploit stemmed from the Munchables team hiring a North Korean developer known by the alias “Werewolves0943.” 

In a March 27 X post, Solidity developer 0xQuit claimed that the Munchables attack had been planned from the outset, with one of the developers upgrading the Lock contract — which is meant to lock tokens in for a specified time — with a new implementation shortly before launch. 

“There were appropriate checks to ensure you couldn’t withdraw more than you deposited. But before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether,” 0xQuit explained.

Source: 0xQuit

“[The] scammer used manual manipulation of storage slots to assign himself an enormous Ether balance before changing the contract implementation to one that appears legit. Then he simply withdrew that balance once TVL was juicy enough,” added 0xQuit. 

Munchables is a Blast-based GameFi app revolving around NFT-based creatures. The Munchables protocol allows players to stake Blast ETH and Blast USD (USDB) to farm Blast points and unlock added in-game perks. 

Related: Blast launches Ethereum L2 mainnet unlocking $2.3B in staked crypto

Several X users including pseudonymous metaverse adviser Cygaar, have called on the Blast team to intervene by forcibly rolling back the chain to before the exploit occurred.

Others pushed back against calls for centralized intervention as it runs against the ethos of decentralized networks — Cinneamhain Ventures partner Adam Cochran argued that it would be “on brand” for Blast to intervene. 

“It wouldn’t set a good precedent for future exploits/issues, but it is possible.”

“An invalid state root would need to be forced by the Blast team which would erase the hacked transaction. The chain might need to halt completely to do this,” added Cygaar.

Source: cygaar

“While I’m strongly against this action on any other chain, I don’t take Blast as a brand of ‘serious decentralization chain’ but instead as a place for games, experiments, degenry, etc.”

“Given that, it doesn’t seem off-brand for them to intervene in defense of user experience. Optimism is ethos alignment, but Blast is gamified social user experience,” Cygaar added.

Magazine: 5 dangers to beware when apeing into Solana memecoins