{"id":17446,"date":"2024-03-27T09:37:18","date_gmt":"2024-03-27T09:37:18","guid":{"rendered":"https:\/\/blocktivists.com\/crypto-game-munchables-faces-an-exploit-worth-62-million-eth-more-within\/"},"modified":"2024-03-27T09:37:18","modified_gmt":"2024-03-27T09:37:18","slug":"crypto-game-munchables-faces-an-exploit-worth-62-million-eth-more-within","status":"publish","type":"post","link":"https:\/\/blocktivists.com\/crypto-game-munchables-faces-an-exploit-worth-62-million-eth-more-within\/","title":{"rendered":"Crypto game ‘Munchables’ faces an exploit worth $62 million ETH, more within"},"content":{"rendered":"
On March 26, the Web3 project and crypto game Munchables suffered a loss of approximately $62.5 million in Ethereum. [ETH]. This loss arose due to the manipulation of a contract related to the project.<\/p>\n
Munchables acknowledged the compromise in an X-post (formerly Twitter) at 9:33 PM UTC. They confirmed that they were tracking the hacker’s movements and attempted to stop the transactions.<\/p>\n
Blockchain analyst ZachXBT identified a wallet address that allegedly belonged to the attacker. According to DeBank’s data, this address interacted with the Munchables protocol, transferring a total of 17,413 ETH.<\/p>\n
The stolen funds were then laundered via the Orbiter Bridge, converting the Blast ETH back into standard Ethereum before further distributing it to other wallets.<\/p>\n
Source:<\/p>\n<\/div>\n
ZachXBT claimed that the perpetrator could be a North Korean developer with the alias \u201cWerewolves0943,\u201d who was hired by the Munchables team.<\/p>\n
However, another X-post, this time on March 27, painted a more sinister picture. According to Solidity developer 0xQuit, the exploit was carefully planned.<\/p>\n
They pointed to a Munchables developer who upgraded the Lock contract, which was designed to hold tokens for a certain period of time, with a new version shortly before launch.<\/p>\n
According to 0xQuit, safeguards were in place to prevent withdrawals from exceeding deposits.<\/p>\n
Before the upgrade, the attacker manipulated storage slots to inflate their deposited balance to as much as 1 million ETH.<\/p>\n
Furthermore, 0xQuit also stated that the attacker likely used manual manipulation to allocate himself this huge balance before exchanging the contract for an apparently legitimate version.<\/p>\n
When the project’s TVL (total value locked) became attractive, they simply withdrew the inflated balance.<\/p>\n
Source:<\/p>\n<\/div>\n
However, ZachXBT’s further investigation revealed a connection between four developers hired by Munchables and possibly linked to the exploit.<\/p>\n
These individuals apparently recommended each other for the job, shared deposit addresses for payments, and even funded each other’s wallets, indicating that a single actor is operating under multiple aliases.<\/p>\n
This isn’t the first crypto rodeo for North Korean hackers, as they have been involved in other attacks in the past.<\/p>\n
Source:<\/p>\n<\/div>\n
In the aftermath of this attack, the Blast community was divided. Several X users urged the Blast team to intervene by forcibly reverting the blockchain to a point before the exploit.<\/p>\n
However, this proposal has been opposed by others who argue that such centralized intervention undermines the core principles of decentralized networks.<\/p>\n
As a result of these events, outflows on Blast increased dramatically. In addition, the TVL of the protocol also experienced a slight dip. So it remains to be seen whether this exploit will have a significant impact on the Blast network.<\/p>\n
Source: DeFiLlama<\/p>\n<\/div>\n