Munchables, a nonfungible token (NFT) game built on the Ethereum layer-2 blockchain Blast, has recently experienced a significant exploit resulting in a loss of $62 million. The game made an announcement on March 26th at 9:33 pm UTC, stating that it had been compromised and was actively monitoring the exploiter’s actions in an attempt to prevent further transactions. Blockchain analyst ZachXBT responded to the announcement by providing the wallet address of the alleged attacker, which currently holds a balance of $62.45 million in Ether (ETH), according to Blastscan data.
Further investigation revealed that the exploiter interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH, as confirmed by DeBank data. Subsequently, the exploiter transferred $10,700 worth of ETH through the Orbiter Bridge, converting the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a newly created wallet address.
ZachXBT suggested that the exploit was a result of the Munchables team hiring a developer from North Korea known as “Werewolves0943.” In a separate post on March 27th, Solidity developer 0xQuit claimed that the attack on Munchables had been premeditated, with one of the developers modifying the Lock contract shortly before the game’s launch. This modification allowed the attacker to assign themselves a balance of 1,000,000 Ether before the upgrade, despite the existence of checks to prevent such actions.
Munchables is a GameFi app based on Blast, focusing on NFT-based creatures. The game allows players to stake Blast ETH and Blast USD to earn Blast points and unlock additional in-game perks.
Following the exploit, some users, including metaverse adviser Cygaar, called on the Blast team to intervene and roll back the chain to a state before the attack occurred. However, others argued against centralized intervention, emphasizing the importance of decentralized networks. Adam Cochran, a partner at Cinneamhain Ventures, mentioned that Blast intervening would be consistent with their gamified social user experience.
The recent exploit serves as a reminder of the potential risks associated with investing in projects within the NFT and blockchain space. It is crucial for users to exercise caution and conduct thorough research before engaging with such platforms.