NFT game Munchables on Blast was exploited for 62 million dollars

DJLK...CjVR
28 Mar 2024
27

NFT game Munchables, built on Ethereum layer 2 Blast, was exploited for $62 million.

Munchables announced the incident on X and said it was tracking the attacker's movements and "trying to prevent the dispersal of assets".

Nguồn: ZachXBT

Onchain investigator ZachXBT has pointed out that the attacker's wallet address currently has an ETH balance of $62.45 million.


Source: Blastscan

The attacker's wallet address interacted with the Munchables protocol at 9:26 UTC, extracting a total of 17,413 ETH.


Source: DeBank

The address then transferred $10,700 worth of ETH through the Orbiter Bridge, converting Blast ETH into native ETH tokens. At 17:05 (Vietnam time), the wallet sent an additional 1 ETH to the new wallet address.

ZachXBT claims that the exploit originated from the Munchables group hiring a North Korean developer with the alias "Werewolves0943".

In a March 27 post, Solidity developer 0xQuit claimed that the Munchables attack was planned from the beginning, with one of the developers upgrading the Lock contract - intended to lock tokens in a specified time period – according to the new deployment immediately before launch.

“There are appropriate measures to limit the amount of withdrawals to not exceed deposits. But before the upgrade, the attacker arbitrarily set the deposit balance to 1,000,000 Ether.”


Source:0xQuit

“Scammers used manual manipulation of storage slots to place themselves on massive Ether balances before converting them into a seemingly legitimate contract. Then he just needs to wait until the TVL is attractive enough and withdraw the money,” 0xQuit added.

Munchables is a Blast-based GameFi app that revolves around NFT-based creatures. The Munchables protocol allows players to stake Blast ETH and Blast USD (USDB) to earn Blast points and unlock additional in-game perks.

Some X users, including a metaverse advisor with the pseudonym Cygaar, have called on the Blast team to intervene by rolling back the chain to a time before the exploit occurred.

“It won't set a good precedent for future exploits/issues, but it's possible.

The Blast group is forced to have an invalid root state to clear the attacked transaction. chain may need to be completely paused to do this.

While I strongly oppose this move for any other chain, I do not consider Blast to be a ‘serious decentralized chain’ but instead a place for games, experimentation, etc.

Therefore, there does not seem to be anything wrong with them intervening to protect user experience."

Others oppose the proposal because it goes against the ethos of decentralized networks.






Get fast shipping, movies & more with Amazon Prime

Start free trial

Enjoy this blog? Subscribe to satthu789

0 Comments