Munchables, the NFT game operating on the Blast network, has successfully recovered $62.5 million previously lost in an exploit. The hack, attributed to a former Munchables developer, prompted swift action from the team to secure user funds. Despite initial concerns, the private keys were successfully retrieved, ensuring the safety of all user funds.
In a subsequent update, Munchables assured users that lockdrops would not be enforced, and all Blast-related rewards would be distributed as usual. Tieshun Roquerre, co-founder of NFT marketplace Blur and known as Pacman on Twitter, confirmed the recovery of $97 million through a multisig arrangement facilitated by Blast core contributors. Notably, no ransom was demanded for the return of the funds.
The compromise of the Munchables protocol was first acknowledged in a post on X, where the team stated their efforts to track the exploiter and block unauthorized transactions. Blockchain analyst ZachXBT provided insights into the exploit, highlighting a transfer of 17,413 ether (ETH) to the exploiter’s wallet.
Solidity developer “0xQuit” underscored vulnerabilities in the smart contract, particularly its “dangerously upgradeable” nature. Speculation arose regarding the identity of the rogue developer, with ZachXBT suggesting a potential connection to North Korea based on developer profiles.
Analysis by 0xQuit revealed a meticulously planned exploit, involving manual manipulation of storage slots to inflate the exploiter’s ether balance before reverting the contract implementation to avoid suspicion.
The discussion surrounding potential solutions included calls for a chain rollback, sparking debates on decentralization and necessary interventions. Ethereum enthusiast Tim Clancy clarified the distinction between a rollback and submitting an invalid state root, emphasizing the importance of a trustless exit window in preserving decentralization.
Blast’s lack of an exit window raised concerns, with Clancy warning of potential repercussions on trustless scaling solutions in the absence of regulatory clarity.