The Munchables Heist: Unpacking the $62 Million Exploit
On March 26, 2024, the Munchables game, a popular non-fungible token (NFT) platform operating on the Ethereum layer-2 blockchain Blast, found itself at the centre of a cybersecurity hack. An astonishing 17,413 ETH worth $62 million was syphoned off in an access control hack leaving questions as to who the exploiter was.
But what is Munchables?
Well, it’s a pioneering GameFi platform that merges the excitement of gaming with the blockchain’s decentralised capabilities. Centred around a universe of unique NFT-based creatures, it offers an interactive ecosystem where players engage in strategic gameplay through staking and farming mechanisms. Built on the Ethereum layer-2 blockchain Blast, Munchables allows for secure and innovative digital ownership, enhancing the gaming experience with crypto assets to unlock new levels and rewards. However this all came to a stop when all the funds were stolen.
So what happened and who was responsible?
The Munchables game exploit was executed by manipulating the game’s smart contract, leading to the unauthorised withdrawal of 17,413 ETH (approximately $62 million). This incident not only highlights the ingenuity of cybercriminals but also underlines the critical importance of robust security measures in protecting digital assets. The team were quick to let their community know that there had been a breach.
Investigations revealed that the breach was orchestrated by an insider — an ex developer associated with the project. By exploiting a vulnerability in the smart contract’s design, the attacker was able to assign themselves a fraudulent balance of 1,000,000 Ether, which they subsequently withdrew. This manoeuvre was a calculated act of deception, leveraging manual manipulation of storage slots to create a false balance before switching the contract to a legitimate-looking implementation.
A United Front: Community and Team Response
In the aftermath, the Munchables team, along with the wider community, rallied to address the fallout. Blockchain security firms such as peckshield and individual experts joined forces to trace the stolen funds and devise a strategy for recovery.
Remarkably, through collective effort and negotiation, the Munchables team succeeded in recovering the entire sum of stolen Ether, with the responsible developer returning the assets without any demand for a ransom. The Munchables team assured specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds had been handed over by the dev. This outcome, while positive, did not erase the initial shock and disruption caused by the exploit.
Beware of the scams that follow any exploit!
Amidst the turmoil, a new threat emerged — a scam targeting victims of the hack, promising the recovery of lost funds in exchange for payment details being given away. This predatory tactic serves as a grim reminder of the opportunistic nature of scammers within the cryptocurrency landscape, preying on those already affected by security breaches. Have a look at the scam below and please do not fall for it!
More about access control attacks
If you still need more clarification on what exactly an access control attack is, check out d3ploys latest infographic covering the basics
The importance of Smart Contract Auditing
The Munchables incident underscores the vital role of smart contract auditing in identifying and mitigating vulnerabilities. d3ploy, as an industry-leading smart contract audit firm, emphasises the necessity of comprehensive security services to safeguard against such exploits. With an impressive record of auditing over 50 projects and securing more than $6.5 billion in crypto assets, d3ploy represents a beacon of reliability and expertise in the Web3 security domain. Our services cater to projects of all sizes, ensuring that every venture in the Web3 ecosystem has access to top-tier security solutions.
Conclusion
The Munchables exploit of March 26, 2024, will be remembered as a significant event in the Web3 space — a reminder of the challenges and risks inherent in this dynamic industry. Yet, it also exemplifies the strength and resilience of a community united against threats to security and trust. As we move forward, let us carry the lessons learned from this incident, reinforcing our defences and fostering a safer, more secure Web3 ecosystem for all.
Make sure you follow d3ploy for more articles on the latest exploits for all the details!
✅To get in touch with one of our experts to book a consultation please contact us through our contact form:
https://www.d3ploy.co/#Contact-Us