Munchables

Munchables Exploit on Blast — March 26, 2024

What Happened

Munchables, a Web3 NFT/game project on the Blast L2, suffered a $62.5M ETH hack on March 26, 2024. Root cause: a rogue developer who had built backdoor logic into the smart contracts during development.

Technical Details

• The smart contract was "dangerously upgradeable" with an unverified implementation contract

• The attack required authorization — confirming inside-job hypothesis

• The project had hired four developers believed to be the same person, suspected to be from North Korea / DPRK affiliated

• The implementation contract had been swapped to a malicious version pre-launch

Fund Recovery

After ~8 hours of intense negotiations, the developer returned all $62M of stolen funds without a ransom demand. This is one of the few large-scale rogue-dev incidents that ended in full recovery.

Lessons / Response

• Blast project later disabled third-party bridges as precaution

• The CEO of Pixecraft Studios (Munchables) had previously trial-hired the dev in 2022, terminated within a month due to red flags

• Hiring practices changed to use trusted recruiters with mandatory background checks

• Highlighted DPRK IT-worker infiltration risk in Web3 hiring

References

• https://rekt.news/munchables-rekt

• https://www.halborn.com/blog/post/explained-the-munchables-hack-march-2024

• https://www.coindesk.com/tech/2024/03/27/munchables-exploited-for-62m-ether-linked-to-rogue-north-korean-team-member

• https://decrypt.co/223644/blast-nft-game-munchables-recovers-62-million-exploit