Munchables, a nonfungible token (NFT) game built on the Ethereum layer-2 blockchain Blast, has encountered a significant exploit resulting in a loss of $62 million. The exploit was announced on March 26 in a post at 9:33 pm UTC, where Munchables stated that it was monitoring the attacker’s actions and attempting to halt the transactions. Blockchain analyst ZachXBT provided the wallet address of the alleged attacker, which currently holds a balance of $62.45 million in Ether (ETH), according to Blastscan data.
According to DeBank data, the exploiter’s wallet address interacted with the Munchables protocol at 9:26 am UTC, extracting a total of 17,413 ETH. The exploiter then transferred $10,700 worth of ETH through the Orbiter Bridge, converting the Blast ETH back into native ETH. At 10:05 pm UTC, the wallet sent an additional 1 ETH to a new wallet address.
ZachXBT claimed that the exploit was the result of Munchables hiring a North Korean developer known as “Werewolves0943.” In a post on March 27, Solidity developer 0xQuit alleged that the Munchables attack had been premeditated, with one of the developers upgrading the Lock contract shortly before the launch. The Lock contract is intended to lock tokens for a specific period of time. “There were measures in place to prevent users from withdrawing more than they deposited. However, before the upgrade, the attacker managed to assign themselves a balance of 1,000,000 Ether,” explained 0xQuit.
Munchables is a GameFi app based on Blast that revolves around NFT-based creatures. The protocol allows players to stake Blast ETH and Blast USD (USDB) to earn Blast points and unlock additional in-game perks.
Following the exploit, some users, including metaverse adviser Cygaar, have called on the Blast team to roll back the chain to a point before the attack. However, others argue against centralized intervention, as it goes against the principles of decentralized networks. Cinneamhain Ventures partner Adam Cochran stated that it would be in line with Blast’s ethos to intervene. Cygaar suggested that the Blast team would need to force an invalid state root, which would erase the hacked transaction, potentially requiring the chain to halt temporarily.
In light of this situation, it is important to be cautious when investing in Solana memecoins. There are five potential dangers to be aware of when entering this market.