en
Back to the list

Blast NFT Game Munchables Recovers $62 Million Stolen in Exploit

source-logo  decrypt.co 27 March 2024 06:41, UTC

Decrypt’s Art, Fashion, and Entertainment Hub.

Discover SCENE

NFT game Munchables, which is on recently launched Ethereum Layer 2 Blast, lost $62 million last night in an exploit. But early this morning the team had good news for its community: "All funds are safe."

All user funds are safe, lockdrops will not be enforced, all blast related rewards will be distributed as well. Updates to follow in the coming days. https://t.co/ZukNfTFTWf

— Munchables (@_munchables_) March 27, 2024

Very early this morning, the Munchables team said on Twitter that a developer attached to the project had "agreed to share the keys for the full Munchables funds without any condition." The wording in the team's message and another by Blur and Blast founder, Tieshun Roquerre, seems to confirm that the exploit was carried out by an insider who worked on the game.

Within an hour of the tepidly good news, the Munchables account said the developer had "shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds."

$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…

— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024

Not long after, it appeared the Munchables team sent a few test transactions and then moved the $62 million from the exploiter wallet into a multi-signature wallet.
Alleged Munchables exploiter wallet transactions on BlastScan.io.
Roquerre, who goes by Pacman on Twitter, warned that Munchables and "protocols integrating with it like @juice_finance were affected." Juice Finance is a points farming protocol to help users maximize their yield and eligibility for airdrops across the Blast ecosystem.
But that's not all. There's now fake Munchables accounts in the replies, asking users to check their eligibility to reclaim funds by clicking a link.
Screenshot of a fake Munchables account in the replies on Twitter.
Blast is a Layer-2 scaling solution, like Arbitrum, Optimism, or Coinbase-incubated Base. It has experienced rapid growth after launching its mainnet in February. And as of Wednesday morning, it was the fourth-largest L2 with $2.7 billion worth of total value locked and nearly tied with Base.

What's more, Blast has been gearing up for a $1.3 billion airdrop in May. Earlier this year, the team behind Blast released a guide on how users and developers can earn Blast Points for using or building on the L2.

The developer for SLERF, the Solana meme coin project that accidentally burnt $10 million worth of presale funds just as it launched, seemed relieved to have the spotlight off their gaffe.

Oh fuck

— Slerf (@Slerfsol) March 26, 2024

decrypt.co