Munchables NFT Game Exploited for $62 Million

Reading Time: 2 minutes
  • Blast-based NFT game Munchables has lost over $62 million in an exploit
  • The game has disclosed that the exploiter has agreed to return the funds with no conditions
  • On-chain sleuths claim the exploit was conducted by a newly hired developer from North Korea

Malicious actors in the web3 space continue to target newly-launched projects with NFT game Munchables, powered by Ethereum layer two platform Blast, being the latest victim. The protocol initially said that they were working to block the transfer of the funds but later revealed that the exploiter had agreed to return the funds. According to on-chain sleuths like ZachXBT, the exploit was conducted by a newly hired team member from North Korea known as “Werewolves0493,” raising questions about whether the developer is associated with the Notorious North Korean hacking group Lazarus.

Withdrew Balance Once the TVL was Juicy

The NFT game revealed that it had been compromised in an X post adding that it’s tracking the funds’ movements. According to on-chain data, the developer siphoned 17,413 ETH from the project and then transferred a small amount of the funds to Orbiter and a new wallet.

A review of the game’s code indicated that the North Korean developer had earlier manipulated the code and “was able to assign himself a deposited balance of 1,000,000 Ether. […] he simply withdrew that balance once TVL was juicy enough.”


Hacker Returns Funds Without Conditions

In an update, Munchables said that the team member has agreed to share “all private keys involved to assist in recovering the user funds.” The project also disclosed that the developer didn’t ask for a bounty and the return is “without any conditions.”

Munchables’ exploit comes less than a week after another Blast-based game, Super Sushi Samurai (SSS), lost over $4 million after a hacker capitalized on a weakness in the game’s token transfer function. The exploits come roughly a month after the Ethereum scaling layer went live.

Although the developer returned the funds without conditions, it’s unclear whether he initially wanted to keep the entire look since he had started transferring small amounts to other wallets.