- Blast-based NFT game Munchables has lost over $62 million in an exploit
- The game has disclosed that the exploiter has agreed to return the funds with no conditions
- On-chain sleuths claim the exploit was conducted by a newly hired developer from North Korea
Malicious actors in the web3 space continue to target newly-launched projects with NFT game Munchables, powered by Ethereum layer two platform Blast, being the latest victim. The protocol initially said that they were working to block the transfer of the funds but later revealed that the exploiter had agreed to return the funds. According to on-chain sleuths like ZachXBT, the exploit was conducted by a newly hired team member from North Korea known as “Werewolves0493,” raising questions about whether the developer is associated with the Notorious North Korean hacking group Lazarus.
Withdrew Balance Once the TVL was Juicy
The NFT game revealed that it had been compromised in an X post adding that it’s tracking the funds’ movements. According to on-chain data, the developer siphoned 17,413 ETH from the project and then transferred a small amount of the funds to Orbiter and a new wallet.
Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.
— Munchables (@_munchables_) March 26, 2024
A review of the game’s code indicated that the North Korean developer had earlier manipulated the code and “was able to assign himself a deposited balance of 1,000,000 Ether. […] he simply withdrew that balance once TVL was juicy enough.”
5/ tl;dr scammer used manual manipulation of storage slots to assign himself an enormous Ether balance before changing the contract implementation to one that appears legit. Then he simply withdrew that balance once TVL was juicy enough.
— quit.q00t.eth (👀,🦄) (@0xQuit) March 26, 2024
>
Hacker Returns Funds Without Conditions
In an update, Munchables said that the team member has agreed to share “all private keys involved to assist in recovering the user funds.” The project also disclosed that the developer didn’t ask for a bounty and the return is “without any conditions.”
The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.
— Munchables (@_munchables_) March 27, 2024
Munchables’ exploit comes less than a week after another Blast-based game, Super Sushi Samurai (SSS), lost over $4 million after a hacker capitalized on a weakness in the game’s token transfer function. The exploits come roughly a month after the Ethereum scaling layer went live.
Although the developer returned the funds without conditions, it’s unclear whether he initially wanted to keep the entire look since he had started transferring small amounts to other wallets.
