Munchables, an NFT game built on the Ethereum layer-2 blockchain Blast, has fallen victim to a $62 million exploit. The incident was announced by Munchables on March 26 at 9:33 pm UTC, with the team stating that they were monitoring the exploiter’s activities and trying to stop the transactions.
Blockchain analyst ZachXBT responded to the announcement by providing the wallet address of the alleged attacker. According to Blastscan data, this wallet currently holds a balance of $62.45 million in Ether (ETH).
Further investigation revealed that the exploiter interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, as shown by DeBank data.
After the exploit, the exploiter’s wallet address transferred $10,700 worth of ETH through the Orbiter Bridge, converting the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a new wallet address.
ZachXBT claimed that the exploit occurred because the Munchables team hired a North Korean developer known as “Werewolves0943.”
In a subsequent post on March 27, Solidity developer 0xQuit alleged that the Munchables attack had been premeditated. According to 0xQuit, one of the developers upgraded the Lock contract, which is designed to lock tokens for a specific period, with a new implementation shortly before the game’s launch.
“Before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether, even though there were checks in place to prevent this,” explained 0xQuit.
“[The] scammer manipulated storage slots manually to give himself a massive Ether balance before changing the contract implementation to make it appear legitimate. He then simply withdrew that balance once the Total Value Locked (TVL) was high enough,” added 0xQuit.
Munchables is a GameFi app on the Blast platform that revolves around NFT-based creatures. Players can stake Blast ETH and Blast USD to earn Blast points and unlock additional perks within the game.
Following the exploit, some users, including metaverse adviser Cygaar, urged the Blast team to roll back the chain to a state before the hack occurred. However, others argued against centralized intervention, as it goes against the principles of decentralized networks. Adam Cochran, a partner at Cinneamhain Ventures, suggested that it would be in line with Blast’s brand to intervene in defense of user experience.
In conclusion, Munchables has experienced a significant exploit, resulting in the loss of $62 million. The Blast team is working to address the situation, while the community debates the appropriate response to the incident.