Crypto News– Blast Crypto game exploited: A significant incident has occurred within the realm of NFTs, impacting a game called Munchables, which operates on the Ethereum layer-2 blockchain known as Blast Crypto. Reports indicate that the game has suffered a staggering $62-million exploit.
Munchables on Blast Crypto Game Exploited, Resulting in 63 Million Dollars Loss
On March 26th, Munchables made an announcement, revealing that it had fallen victim to exploitation. The post, published at 9:33 pm UTC, stated that the team was actively monitoring the exploiter’s actions and endeavoring to halt the illicit transactions. Notably, blockchain analyst ZachXBT responded to this announcement by disclosing the wallet address of the alleged attacker, which currently holds a balance of $62.45 million in Ether (ETH), as per Blastscan data. Concurrently, the value of ETH has depreciated to $3,576.
Further investigation into the exploiter’s activities reveals that the wallet address engaged with the Munchables protocol at 9:26 am UTC, managing to extract a total of 17,413 ETH, according to DeBank data. Subsequently, the exploiter transferred $10,700 worth of ETH through the Orbiter Bridge, converting the Blast ETH back into native ETH. At 10:05 pm UTC, an additional 1 ETH was sent to a fresh wallet address from the exploiter’s wallet.
3/ Shortly thereafter, it was upgraded to the new implementation.
— quit.q00t.eth (👀,🦄) (@0xQuit) March 26, 2024
Here, there were appropriate checks to ensure you couldn't withdraw more than you deposited. But before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether pic.twitter.com/LrzhYiRWkb
ZachXBT has asserted that the exploit appears to be connected to the Munchables team hiring a developer from North Korea, known by the alias “Werewolves0943.”
In a subsequent post on March 27th, Solidity developer 0xQuit offered insights into the nature of the attack. They claimed that the exploitation was premeditated, with one of the developers manipulating the Lock contract — designed to secure tokens for a predetermined duration — shortly before the game’s launch. According to 0xQuit, checks were in place to prevent withdrawals exceeding deposits. However, prior to the upgrade, the attacker managed to assign themselves a balance of 1,000,000 Ether.
Technically, the Blast team could recover the $62m lost in the Munchables exploit since they control the bridge contract that holds the bridged ETH/stETH.
— cygaar (@0xCygaar) March 26, 2024
It wouldn't set a good precedent for future exploits/issues, but it is possible.
An invalid state root would need to be…
Munchables, a GameFi application rooted in the Blast ecosystem, revolves around NFT-based creatures. Its protocol enables players to stake Blast ETH and Blast USD to earn Blast points and unlock additional in-game benefits.
It wouldn’t set a good precedent for future exploits/issues, but it is possible. Given that, it doesn’t seem off-brand for them to intervene in defense of user experience. Optimism is ethos alignment, but Blast is gamified social user experience. While I’m strongly against this action on any other chain, I don’t take Blast as a brand of ‘serious decentralization chain’ but instead as a place for games, experiments, degenry, etc.
Adam Cochran
Various users, including the pseudonymous metaverse adviser Cygaar, have called upon the Blast team to take action by initiating a rollback of the chain to a state preceding the exploit.
Leave a comment