Munchables, the web3 gaming platform, faced a major security breach resulting in a loss of $62.5 million in Ethereum, stemming from an exploit on the Blast network.
The confirmation of the exploit came from Munchables themselves via a social media post, revealing that the incident took place on March 26. “Munchables has experienced a breach,” the company announced. “We are actively monitoring transactions and working to halt any further unauthorized movements. Further updates will follow as we gather more information.”
Investigation Suggests Potential Link to Munchables Insider
According to ZachXBT, a prominent figure in the crypto investigation sphere, the individual responsible for the exploit managed to siphon off approximately 17,414 ETH, valued at $62.5 million, as reported by Blastscan.
Further delving into the matter, ZachXBT uncovered a potential link between the exploit and a Munchables employee, given that four developers had recently been recruited by the company.
“Four developers, all linked to the exploiter, were hired by the Munchables team, and there’s a strong likelihood they are the same individual, given their mutual recommendations for the job,” ZachXBT revealed.
Moreover, the suspect was found to have consistently transferred payments to the same two exchange deposit addresses and had been funding each other’s wallets. ZachXBT took the initiative to disclose the GitHub usernames associated with the alleged exploiter, cautioning the community about the situation.
Exploit Rooted in Upgrade Manipulation
Solidity developer 0xQuit disclosed in a post that the Munchables exploit was premeditated, pointing out that a developer had made modifications to the Lock contract just before the game’s launch. This particular contract was intended to secure tokens for a specified duration.
“The Munchables exploit was planned from the moment of deployment,” 0xQuit asserted, underscoring the platform’s vulnerability due to being a “dangerously upgradeable proxy.” The exploiter took advantage of this upgradability to allocate themselves 1 million ETH, allowing them to withdraw the deposit.
“From an outsider’s perspective, the contract would appear normal if they were unaware of the original implementation,” 0xQuit elaborated. Even if the developer had transferred ownership back to the team, the damage had already been inflicted, discouraging further reliance on such upgradeable features.
In response to the catastrophic incident, the Munchables team has pledged to provide all pertinent private keys to facilitate the recovery of user funds. This includes the key associated with $62,535,441.24 USD, another holding 73 WETH, and the owner key securing the remaining funds.