On the night of March 27, 2024, the cryptocurrency-NFT game Munchables on the Blast network suffered a $63 million hack attack. Attackers stole 17,414 ETH by exploiting a vulnerability on the platform. Here are the details…
$63 million worth of cryptocurrency was stolen from Munchables, then returned!
Munchables, the crypto-NFT game on the Blast network, suffered a $63 million hack attack on the morning of March 27. Attackers stole 17,414 ETH by exploiting a vulnerability in the platform. According to research conducted by cryptocurrency detective ZachXBT, North Korean hackers are thought to be behind the attack. ZachXBT suggested that the 4 developers hired by the Munchables team may actually be the same person and that this person is connected to the hacker.
The Munchables team made a statement after the attack, confirming the incident and saying that they were working to get the funds back. The team explained that the hackers sent the funds to multiple signature wallets and also shared the wallet’s keywords. As a result of ZachXBT’s research and the efforts of the Munchables team, the hacker decided to return the stolen funds. The funds had risen to $97 million and were secured in a multi-signature wallet. The Munchables team announced that they will start sending cryptocurrencies back to users in a short time.
Details of transactions
ZachXBT claimed that “four different developers hired by the Munchables team and linked to the exploiter would all be the same.” The suspect also “regularly transferred payments to the same two exchange deposit addresses” and “funded each other’s wallets.” ZachXBT alerted the community and added the alleged abuser’s GitHub usernames to the post. X user Solidity developer 0xQuit explained in a post that this exploit was planned in advance. He highlighted that a developer changed the Lock contract to a new version just before the game’s release. This contract is designed to secure tokens for a certain period of time.
“Exploitation of Munchables has been planned since its deployment,” 0xQuit said, noting that the platform is a “dangerously upgradeable proxy.” By abusing the upgrade and the app, the abuser was able to withdraw the deposit, assigning themselves 1 million ETH. “If you didn’t know the original implementation at all, the contract would look just fine,” 0xQuit explained. “Even though the developer transferred ownership back to the team, the damage was done,” the writer added, discouraging the update.
The team responding to the devastating incident announced that it would provide all relevant private keys to assist in the recovery of user funds. This includes the key associated with $62,535,441.24, another key holding 73 WETH, and the owner key that secures the remaining funds.
To be informed about the latest developments, follow us Twitter’in, Facebookin and InstagramFollow on . Telegram And YouTube Join our channel.