Key takeaways:
- The Munchables hacker changed his mind after nearly eight hours and returned $62.8M worth of Ether that had been taken in an exploit without requesting a ransom.
- The hack was caused by the Munchables team employing a North Korean engineer who went by the handle “Werewolves0943.”
The Munchables hacker, a Munchables developer, changed his mind after nearly eight hours and returned $62.8 million worth of Ether that had been taken in an exploit without requesting a ransom.
The Ethereum-based nonfungible token (NFT) game Munchables revealed a hack that took over 17,400 ETH out of the GameFi app on March 26, at about 9:30 p.m. UTC.
Munchables started following the stolen fund’s movements in an effort to stop it, working with blockchain detectives like ZachXBT and PeckShield.
According to DeBank statistics, the exploiter’s wallet address indicates that it engaged with the Munchables protocol around 9:26 am UTC, taking out a total of 17,413 ETH.
After that, $10,700 worth of ETH was transferred via the Orbiter Bridge from the exploiter’s wallet address, converting the Blast ETH back into native ETH. The wallet delivered one more Ethereum to a new wallet address at 10:05 p.m. UTC.
According to ZachXBT, the hack was caused by the Munchables team employing a North Korean engineer who went by the handle “Werewolves0943.”
Solidity developer 0xQuit stated in an X post on March 27 that the Munchables assault was premeditated from the start, and that one of the devs had updated the Lock contract, which locks tokens in for a predetermined amount of time, with a new implementation just before launch. The explanation of 0xQuit:
โThere were appropriate checks to ensure you couldnโt withdraw more than you deposited. But before upgrading, the attacker was able to assign himself a deposited balance of 1,000,000 Ether,โ
A Blast-based GameFi software called Munchables concentrates on NFT-based animals. Players can farm Blast points and get more in-game benefits by staking Blast ETH and Blast USD (USDB) on the Munchables network.
Munchables revealed that the hacker was one of its developers on March 27, at 4:40 am UTC. After an hour of haggling, the former developer decided to give the money that had been stolen back. In a formal declaration, Munchables stated:
โThe Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.โ
Under the pseudonym Pacman, Blast, the inventor of the Ethereum layer-2 blockchain, expressed gratitude to ZachXBT for his assistance and disclosed that the former Munchables developer had chosen to “return all funds in the end without any ransom” needed.
Pacman will collaborate with the Munchables team to assist in dispersing the monies that were stolen but have since been recovered, as Munchables was built on top of the Blast blockchain.
To prevent falling for reimbursement scams, hack victims are encouraged to ensure they only follow correspondence from official sources in the interim.
The exploit happened almost four days after four other decentralized finance (DeFi) aggregator ParaSwap addresses were compromised by a hacker who took about $24,000. After the money had been recovered, the protocol started paying users back.
With the help of white hat hackers, ParaSwap was able to rectify the problem and remove authorization for the susceptible AugustusV6 smart contract.
According to ParaSwap, the vulnerability impacted 386 addresses in total. As of March 25, 213 addresses have not yet revoked permits for the defective contract.