Munchables, a nonfungible token (NFT) game built on the Ethereum layer-2 blockchain Blast, has fallen victim to a massive exploit, resulting in a loss of $62 million. The incident was announced on March 26 through a post on X at 9:33 pm UTC, where Munchables stated that it was actively monitoring the attacker’s movements and attempting to prevent further transactions.
Blockchain analyst ZachXBT responded to the post by providing the wallet address of the alleged attacker. According to Blastscan data, this wallet currently holds a balance of $62.45 million in Ether (ETH).
Further investigation revealed that the exploiter’s wallet address interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, as reported by DeBank data.
The exploiter then transferred $10,700 worth of ETH through the Orbiter Bridge, converting the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a newly created wallet address.
ZachXBT claimed that the exploit was the result of the Munchables team hiring a North Korean developer known as “Werewolves0943.”
Solidity developer 0xQuit further alleged in a post on March 27 that the Munchables attack had been premeditated. One of the developers had updated the Lock contract, which is responsible for locking tokens for a specific period, with a new implementation shortly before the game’s launch.
According to 0xQuit, there were safeguards in place to prevent users from withdrawing more than they had deposited. However, before the upgrade, the attacker managed to assign themselves a balance of 1,000,000 Ether. Once the total value locked (TVL) reached a significant amount, the attacker simply withdrew the balance.
Munchables is a GameFi app based on the Blast platform, focusing on NFT-based creatures. The protocol allows players to stake Blast ETH and Blast USD (USDB) to earn Blast points and unlock additional in-game perks.
Following the incident, several users, including metaverse adviser Cygaar, have called on the Blast team to roll back the chain to a state prior to the exploit. However, others argue against centralized intervention, as it goes against the principles of decentralized networks.
Adam Cochran, a partner at Cinneamhain Ventures, suggested that it would be consistent with Blast’s brand for them to intervene. However, implementing a rollback would require forcing an invalid state root, potentially halting the entire chain.
In light of these discussions, Cygaar emphasized that Blast’s intervention would align with their focus on user experience, as it is a gamified social platform.
In summary, Munchables, a game built on the Blast blockchain, has suffered a $62 million exploit. The attacker manipulated the protocol to assign themselves a significant Ether balance before withdrawing it once the TVL was high enough. Users have called for Blast’s intervention, but the decision remains in debate.