The web3 gaming platform Munchables experienced a significant security breach, losing $62.5 million in Ethereum due to an exploit on the Blast network.
Munchables confirmed the exploit through a post on social media, stating the loss occurred on March 26. “Munchables has been compromised,” said Munchables. “We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.”
Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.
— Munchables (@_munchables_) March 26, 2024
Investigation Suggests Potential Link to Munchables Insider
According to ZachXBT, the crypto “detective,” the exploiter extracted nearly 17,414 ETH with a total value of $62.5 million as indicated by Blastscan.
ZachXBT then made some more digging and discovered that the exploit could be initiated by a Munchables employee, since they have been recruited as four developers.
Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they:
>recommended each other for the job
>regularly transferred payments to the same two exchange deposit addresses >funded each others walletsGithub Username… https://t.co/Q0scxp6AxK pic.twitter.com/Pjjo4uKXPE
— ZachXBT (@zachxbt) March 27, 2024
“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they recommended each other for the job,” said ZachXBT.
The suspect also “regularly transferred payments to the same two exchange deposit addresses” and “funded each others wallets.” ZachXBT included the alleged exploiter’s GitHub usernames in the post, alerting the community.
Exploit Rooted in Upgrade Manipulation
Solidity developer 0xQuit revealed in a post that the exploit was premeditated, highlighting that a developer had modified the Lock contract to a new version just before the game’s release. This contract is designed to secure tokens for a set period.
“The Munchables exploit has been planned since deploy,” said 0xQuit, stating that the platform is a “dangerously upgradeable proxy.” The exploiter was able to abuse the upgrade and implementation to assign themselves 1 million ETH so they could withdraw the deposit.
3/ Shortly thereafter, it was upgraded to the new implementation.
Here, there were appropriate checks to ensure you couldn’t withdraw more than you deposited. But before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether pic.twitter.com/LrzhYiRWkb
— quit.q00t.eth (👀,🦄) (@0xQuit) March 26, 2024
“If you never knew about the original implementation, the contract would look just fine,” explained 0xQuit. “Even if the dev had transferred ownership back to the team, the damage was done,” the author added, discouraging upgradeability.
Responding to the devastating incident, the team has announced to provide all relevant private keys to aid in the retrieval of user funds. This includes the key associated with $62,535,441.24 USD, another holding 73 WETH, and the owner key that secures the remaining funds.