- Blockbasis
- Posts
- Munchables: Unraveling the $62.5M Exploit
Munchables: Unraveling the $62.5M Exploit
Discover How a Rogue Developer Orchestrated a $62.5M Exploit on Munchables, the Vigilante Justice That Foiled the Plan, and the Lessons Learned for Strengthening DeFi Security and Trust in the Blockchain Community
TL;DR
Lost in a whirlwind of crypto chaos, Munchables became the unexpected centerpiece of a high-stakes drama when a rogue developer attempted to turn their munchies into lunch money. With rumors swirling and ZachXBT on the offensive, will Blast weather the storm, or face further exploits?
Make Sure This Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
In a staggering turn of events, the Munchables project suffered a severe blow, losing a whopping $62.5 million due to an exploit executed by a rogue developer. The ordeal unfolded on March 26, prompting swift action from the Munchables team as they scrambled to contain the breach.
Upon discovering the compromise on March 26, Munchables acted swiftly, tracking movements and attempting to halt the illicit transactions.
Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.
— Munchables (@_munchables_)
9:37 PM • Mar 26, 2024
Speculation emerged within the Web3 security circles suggesting that Munchables may have unwittingly employed a North Korean developer who failed to relinquish control of the smart contracts.
In a decisive move, ZachXBT took the offensive against the rogue developer, potentially averting further damage to Munchables and its stakeholders. Notably, this incident marks the second attack on a Blast protocol within a week, with Super Sushi Samurai falling victim just days earlier, losing $4.8 million.
The recurrent breaches underscore the challenges faced by Blast, a burgeoning blockchain network grappling with rapid growth, having amassed a staggering $1.24 billion Total Value Locked (TVL), surpassing even Avalanche. The question now looms: will Blast sustain its upward trajectory, or will continued vulnerabilities jeopardize the trust and stability of the entire ecosystem?
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The Munchables exploit, culminating in a staggering $62.5 million loss, appears to have been meticulously orchestrated by a rogue developer from the project's inception. Detailed investigation by quit.q00t.eth uncovered that the Munchables contract was a perilously upgradeable proxy, initially upgraded from an unverified implementation address.
The Munchables contract was soon upgraded to a new version with appropriate checks to prevent users from withdrawing more than they had deposited. However, before this upgrade, the attacker manipulated the contract's storage slots, assigning themselves a deposited balance of 1,000,000 Ether.
The scammer used manual manipulation of storage slots to assign themselves a substantial Ether balance before changing the contract implementation to one that appeared legitimate. They then withdrew the balance once the Total Value Locked (TVL) was sufficiently high.
Attacker Address: 0x6e8836f050a315611208a5cd7e228701563d09c5
Contract Upgraded on March 21: 0xea1d9c0d8de4280b538b6fe6dbc3636602075184651dfeb837cb03f8a19ffc4f
In a surprising turn of events, a few hours after the attack, ZachXBT identified the rogue developer.
Further investigation revealed that four developers hired by the Munchables team and linked to the exploiter were likely the same person. These individuals recommended each other for the job, regularly transferred payments to the same two exchange deposit addresses, and funded each other's wallets.
Github Usernames:
- NelsonMurua913
- Werewolves0493 (No longer active)
- BrightDragon0719 (No longer active)
- Super1114
Payment Addresses:
- 0x4890e32a6A631Ba451b7823dAd39E88614f59C97
- 0x6BE96b68A46879305c905CcAFFF02B2519E78055
- 0x9976Fe30DAc6063666eEA87133dFad1d5ec27c5E
Exchange Deposit Addresses:
- 0x84e86b461a3063ad255575b30756bdc4d051a04b
- 0xe362130d4718dc9f86c802ca17fe94041f1cfc77
Just 11 minutes later, Munchables announced that the developer had agreed to share the keys to the full Munchables funds without any conditions. According to Duo Nine, ZachXBT's intervention had intimidated the rogue developer into returning the keys.
Approximately $60.5 million was transferred back to Munchables in three transactions:
Transaction 1: 0x69f271f90204ae993200f54676c922fe5ee3e5020a16ae34f589f52d923857f1
Transaction 2: 0x381d57aa2d959ff9580ad61cc6549ae3c026eed9ee5b2ea10f9601a186c49a13
Transaction 3: 0x62a148877957cbf1ae89cafa144496d99239ee900a3b90194249e6baaa3ddc2f
Pacman later reported that the funds had been secured in a multisig wallet by Blast core contributors. He acknowledged ZachXBT and samczsun for their behind-the-scenes support.
Amid the fallout, rumors surfaced within the Web3 community suggesting a possible link between the rogue developer and Lazarus, a notorious North Korean hacking group. While unconfirmed, this speculation raises intriguing questions about the attacker's motives and methods.
Another controversial topic arising from the exploit was the potential rollback of the Blast chain, which immediately raised concerns about decentralization. With the funds recovered, the rollback discussion was rendered moot, but it nonetheless sparked significant debate.
An audit of Munchables was completed in March 2024 by Entersof (Audit Password: ESMunc@24!). Despite this, the audit offered little help against the rogue developer, an unforeseen threat in the auditing process.
This exploit saga features a cast of villains, victims, and the occasional hero, highlighting the complex dynamics at play in the world of decentralized finance.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
What could have been the biggest hack of 2024 turned out to be an inside job foiled by swift vigilante justice. The CEO of Pixecraft Studios recalled giving the developer a trial hire in 2022, which lasted less than a month due to the developer’s suspicious behavior.
This incident led Pixecraft to overhaul their hiring practices, now collaborating exclusively with trusted recruiters who conduct thorough background checks. They urge all crypto teams to adopt similar measures to avoid bad actors from public job boards.
Since this incident we stopped hiring from public job boards, where these types of bad actors are extremely prevalent.
Instead, we only work with trusted recruiters who do bg checks on each candidate before recommending.
Would recommend all teams in crypto do the same.
— coderdan.eth | aavegotchi 👻💊 (@coderdannn)
3:43 AM • Mar 27, 2024
The debate over doxxing remains heated within the crypto community. In cases like the Munchables exploit, doxxing can act as a potent deterrent against malicious actors, safeguarding the integrity of DeFi platforms. As the space continues to evolve, striking a balance between maintaining privacy and ensuring accountability will be crucial for fostering user trust.
With ZachXBT taking the lead and quickly gathering leads, coupled with discussions around modifying the chain state or rolling back, the rogue developer had no opportunity to transfer the funds without being apprehended. The swift checkmate of the exploiter underscores the community's resilience and coordination.
However, the situation could have escalated. If Blast had decided to roll back the chain—assuming it was even feasible—the consequences could have been far more severe. This incident marks the second attack on Blast in less than a week, emphasizing the need for other protocols on the network to reassess their security measures and stay vigilant against similar threats.
The future of the Blast chain hangs in the balance as it navigates these growing pains. Will it continue its upward trajectory, or will it become a cautionary tale in the annals of blockchain history?