Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
An NFT project called Munchables, created on the basis of Blast, an Ethereum-based second-tier network, has been exploited. The hacker managed to steal 17,413 ETH worth $62 million.
The developers of Munchables announced on social network X that their platform was compromised. They track the movement of funds by the attacker and "try to stop transactions." The company has allocated a compensation pool for users so that they can get their funds back.
DeBank analysts found out that the hacker's address contained a total of 17,413 ETH. He then transferred $10,700 worth of ethers via the Orbiter Bridge, converting ETH Blast to native ETH. Later, he sent another 1 ETH to the new address.
Independent "blockchain sleuth" ZachXBT suggested that the exploit occurred because the Munchables team hired four North Korean developers using the pseudonyms NelsonMurua913, Werewolves0493, BrightDragon0719 and Super1114. The analyst believes that they are related to the exploit and are most likely the same person. They recommended each other to the employer, regularly made payments to the same two exchange deposit addresses, and sent funds to each other.
The Solidity developer, known as 0xQuit, is sure that the attack on Munchables was planned from the very beginning. Shortly before that, one of the developers of Munchables updated the token lock contract just before launch. Checks were made to ensure that users could not withdraw more funds than they had deposited. However, before the update, the attacker was able to set up a deposit of 1,000,000 ethers, explained 0xQuit.
"The fraudster manually manipulated the storage slots to allocate himself a huge balance of ethers, before changing the smart contract to make everything look legitimate. It then simply withdrew this balance once the total locked asset value (TVL) became quite attractive," 0xQuit suggested.
Some users asked the Blast team to step in and forcibly roll back the network to the state before the exploit. Others opposed centralized intervention.
---------------
On March 27, the Munchables team announced that the developer had agreed to return access to all withdrawn funds. According to the statement, he provided private keys to addresses that contained $62.5 million, 73 WETH and other assets.
According to the founder of the NFT marketplace Blur and the Blast project under the pseudonym Pacman, the network developers received all coins with a total value of $97 million to a multi-signature wallet. The hacker allegedly returned them without any reward.
"It is important that all development teams, regardless of whether they are directly affected or not, learn from this and take precautions to approach security issues more carefully," the entrepreneur stressed.
The developers of Munchables announced on social network X that their platform was compromised. They track the movement of funds by the attacker and "try to stop transactions." The company has allocated a compensation pool for users so that they can get their funds back.
DeBank analysts found out that the hacker's address contained a total of 17,413 ETH. He then transferred $10,700 worth of ethers via the Orbiter Bridge, converting ETH Blast to native ETH. Later, he sent another 1 ETH to the new address.
Independent "blockchain sleuth" ZachXBT suggested that the exploit occurred because the Munchables team hired four North Korean developers using the pseudonyms NelsonMurua913, Werewolves0493, BrightDragon0719 and Super1114. The analyst believes that they are related to the exploit and are most likely the same person. They recommended each other to the employer, regularly made payments to the same two exchange deposit addresses, and sent funds to each other.
The Solidity developer, known as 0xQuit, is sure that the attack on Munchables was planned from the very beginning. Shortly before that, one of the developers of Munchables updated the token lock contract just before launch. Checks were made to ensure that users could not withdraw more funds than they had deposited. However, before the update, the attacker was able to set up a deposit of 1,000,000 ethers, explained 0xQuit.
"The fraudster manually manipulated the storage slots to allocate himself a huge balance of ethers, before changing the smart contract to make everything look legitimate. It then simply withdrew this balance once the total locked asset value (TVL) became quite attractive," 0xQuit suggested.
Some users asked the Blast team to step in and forcibly roll back the network to the state before the exploit. Others opposed centralized intervention.
---------------
On March 27, the Munchables team announced that the developer had agreed to return access to all withdrawn funds. According to the statement, he provided private keys to addresses that contained $62.5 million, 73 WETH and other assets.
According to the founder of the NFT marketplace Blur and the Blast project under the pseudonym Pacman, the network developers received all coins with a total value of $97 million to a multi-signature wallet. The hacker allegedly returned them without any reward.
"It is important that all development teams, regardless of whether they are directly affected or not, learn from this and take precautions to approach security issues more carefully," the entrepreneur stressed.
