Crypto game ‘Munchables’ on Blast exploited for $63M

A new NFT game built on the Ethereum Layer-2 Blast has been exploited for nearly 17,500 ETH.

A nonfungible token (NFT) game called Munchables, built on Ethereum layer-2 blockchain Blast, has suffered a $62 million exploit.

Munchables announced it had been compromised in a March 26 X post at 9:33 pm UTC and said it was tracking the exploiter’s movements and “attempting to stop the transactions.”

d0ca8711 4b91 4e04 92f1 b294cca278d6 d0ca8711 4b91 4e04 92f1 b294cca278d6

Source: ZachXBT

Blockchain analyst ZachXBT responded to the post with the wallet address of the alleged attacker, which currently touts a balance of $62.45 million in Ether per Blastscan data.

The wallet address of the exploiter shows that it interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, per DeBank data

16cdcbbc 96ce 4729 adec 00fab0e569b7 16cdcbbc 96ce 4729 adec 00fab0e569b7

The exploiter address with over 17,400 ETH incoming from Munchables. Source: DeBank

 

The exploiter’s wallet address then transferred $10,700 worth of ETH through the Orbiter Bridge, transferring the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a fresh wallet address.

ZachXBT claimed the exploit stemmed from the Munchables team hiring a North Korean developer known by the alias “Werewolves0943.”

In a March 27 X post, Solidity developer 0xQuit claimed that the Munchables attack had been planned from the outset, with one of the developers upgrading the Lock contract — which is meant to lock tokens in for a specified time — with a new implementation shortly before launch.

“There were appropriate checks to ensure you couldn’t withdraw more than you deposited. But before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether,” 0xQuit explained.

32ead4c8 ec1b 4f95 b888 933548f8c446 32ead4c8 ec1b 4f95 b888 933548f8c446

Source: 0xQuit

 

“[The] scammer used manual manipulation of storage slots to assign himself an enormous Ether balance before changing the contract implementation to one that appears legit. Then he simply withdrew that balance once TVL was juicy enough,” added 0xQuit.

Munchables is a Blast-based GameFi app revolving around NFT-based creatures. The Munchables protocol allows players to stake Blast ETH and Blast USD (USDB) to farm Blast points and unlock added in-game perks.

Several X users including pseudonymous metaverse adviser Cygaar, have called on the Blast team to intervene by forcibly rolling back the chain to before the exploit occurred.

Others pushed back against calls for centralized intervention as it runs against the ethos of decentralized networks — Cinneamhain Ventures partner Adam Cochran argued that it would be “on brand” for Blast to intervene.

“It wouldn’t set a good precedent for future exploits/issues, but it is possible.”
“An invalid state root would need to be forced by the Blast team which would erase the hacked transaction. The chain might need to halt completely to do this,” added Cygaar.

5c49ab8e 3fd7 4bce 8450 2dbfa7265994 5c49ab8e 3fd7 4bce 8450 2dbfa7265994

Source: cygaar

“While I’m strongly against this action on any other chain, I don’t take Blast as a brand of ‘serious decentralization chain’ but instead as a place for games, experiments, degenry, etc.”
“Given that, it doesn’t seem off-brand for them to intervene in defense of user experience. Optimism is ethos alignment, but Blast is gamified social user experience,” Cygaar added.

Leave a Reply

Your email address will not be published. Required fields are marked *

Chatbot AI D2
XX