Munchables, an NFT game built on Blast, dodged a bullet this week. Though a security breach on Tuesday led to a temporary loss of $62.5 million in user funds, Munchables has successfully retrieved the stolen crypto. The Munchables team assures users that their funds are safe and all Blast rewards will still be distributed. While more details are expected in the coming days, this swift recovery is a win for Munchables players.
All user funds are safe, lockdrops will not be enforced, all blast related rewards will be distributed as well. Updates to follow in the coming days. https://t.co/ZukNfTFTWf
— Munchables (@_munchables_) March 27, 2024
Munchables, the popular NFT game built on Blast, faced a scare this week. On Tuesday, a security breach by a former developer led to the loss of $62.5 million in user funds. However, in a swift recovery effort, Munchables retrieved the stolen crypto thanks to the collaboration of Blast core contributors, who secured a total of $97 million in a multisig wallet (a secure wallet requiring multiple approvals for transactions). This swift action prevented further losses.
Munchables initially confirmed the exploit on Tuesday afternoon and took steps to track the stolen funds and block transactions. Thankfully, their efforts, combined with the support from Blast, ensured a positive outcome for users. While further details are expected soon, Munchables players can rest assured their funds are safe and Blast rewards will be distributed as planned.
This incident highlights the importance of strong security measures in the NFT space. Munchables will likely be addressing this issue in their upcoming updates.
Munchables, the popular NFT game built on Blast, dodged a major scare this week. A former developer exploited a vulnerability in the game’s system, leading to the loss of $62.6 million worth of user funds (17,413 ETH).
Thankfully, Munchables acted swiftly and with the help of Blast core contributors, they managed to retrieve the stolen funds. These recovered funds are now secured in a multisig wallet, requiring multiple approvals for any transactions, offering an extra layer of protection.
Contents
Simple Exploit with Serious Consequences
The details of the exploit raise concerns about the security measures in place for NFT games. Blockchain sleuth ZachXBT identified the exploiter’s wallet, highlighting the stolen funds. According to Solidity developer “0xQuit,” the culprit was able to exploit a critical security flaw. The game’s smart contract, which essentially dictates the game’s rules, was designed to be upgradeable. However, this “upgradeable” feature lacked proper verification procedures, creating a vulnerability. This vulnerability allowed the attacker to essentially request a massive sum of money directly from the contract, bypassing normal security measures.
$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…
— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024
Possible Inside Job and North Korean Connection
“0xQuit” further suggests that the exploit likely required authorized access to the system, pointing towards a potential “rogue developer” – a former developer who misused their access for personal gain. This theory is further fueled by ZachXBT who linked a developer profile with the alias “Werewolves0943” to the exploit. While this suggests a possible North Korean connection, further investigation is needed to confirm this speculation.
Lessons Learned and Moving Forward
This incident exposes the critical need for robust security measures in NFT games, particularly when dealing with “upgradeable” smart contracts. Munchables will likely address these vulnerabilities in their upcoming updates to prevent similar attacks in the future. Although the investigation continues, Munchables players can be assured their funds are safe and Blast rewards will be distributed as planned. This serves as a reminder for all NFT platforms to prioritize user security and implement strong verification procedures to safeguard their systems.
Concerns Arise Over Blast’s Handling of Stolen Funds and Lack of Exit Window
While Munchables managed to recover the stolen funds, the situation raises concerns about Blast’s security measures. According to industry observer Tim Clancy, Blast’s approach of retrieving the funds by manipulating the state root is unconventional. He emphasizes the importance of a “trustless exit window” in layer 2 solutions. This exit window allows users to withdraw their assets back to the main Ethereum chain if they’re unhappy with any changes on the layer 2. Clancy argues that Blast’s lack of an exit window essentially centralizes control and could be misused. He worries that Blast’s actions might set a negative precedent for other developers building trustless scaling solutions in the future.
Raksha, a seasoned journalist, specializes in crafting insightful narratives on blockchain and AI developments. With a keen eye for innovation, she distills complex topics into accessible stories, providing readers with a clear understanding of the dynamic intersection between these transformative technologies.
