Yesterday’s $62 million hack of NFT-gaming project Munchables caused a stir amongst the crypto community, with calls for Blast’s core team to manually undo the damage on the centralized rollup.
Fortunately, such controversial action turned out to be unnecessary. Once it became clear that they were unable to get away with their ill-gotten gains, the rogue developer responsible for the theft returned the funds to the Blast team.
$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…
— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024
Read more: Crypto game exploited for $4.6M, hacker claims to be white-hat
As with The DAO hack on Ethereum in 2016, the incident forces us to consider the implications of interfering with what are supposed to be immutable ledgers.
The hack
Although the ‘hack’ itself was simple, it had been planned well in advance.
Before launch, a rogue developer used their admin access to assign themselves a hefty ether balance in a previous, unverified implementation of the Munchables contract.
Later, when deposits began to stream into the upgraded contracts, the exploiter’s address had plenty of ETH to drain the funds, withdrawing approximately 17,400 ETH, worth over $62 million at the time.
The developer also had admin access to a contract holding over $30 million in funds deposited by another Blast-based project, Juicebox. Centralization risk was identified as low severity in the project’s audit, and the developer’s preparations seemingly went unnoticed.
The culprit
Blockchain sleuth ZachXBT initially suspected that the developer responsible was part of the DPRK’s Lazarus Group of state-sponsored hackers, pointing the finger at a GitHub profile named ‘Werewolves0493.’
not even joking it’s this clown pic.twitter.com/V0Cg4st91t
— ZachXBT (@zachxbt) March 26, 2024
He also suggested that four of the project’s ‘developers’ may in fact be the same individual, as they were linked by on-chain transfers and through deposits to shared exchange addresses.
PixelCraft Studios’ CEO, who goes by coderdan.eth on X (formerly Twitter), shared his run-in with the same developer, who was fired “within a month.” Judging by deposits to their Binance addresses, ChainArgos believe the developer has had a handful of short-term jobs over the past 18 months.
Whether this individual was connected to Lazarus or not, attempting to infiltrate crypto teams is a known technique used by the hacking group.
The dilemma
Ever since the US Treasury’s sanctioning of crypto mixer Tornado Cash, credible censorship resistance has become an important measure of a blockchain’s decentralization. The hope is that if there’s no single entity to accuse of interacting with sanctioned addresses, then there’s nobody to prosecute.
Likewise, though, if a US-based development team has sufficient admin powers to revert the effects of hacks or the actions of sanctioned entities, it may find itself obliged to do so.
Precedents have been set in the past. Last year, Jump Crypto conducted a ‘counter-exploit’ to recover the 120,000 ETH lost in 2022’s Wormhole hack, worth over $300 million at the time.
Also in 2022, Binance-linked BNB Chain was halted by its validators, ensuring that the proceeds of a $600 million bridge hack couldn’t be siphoned to other, less censorable chains.
Blast itself isn’t exactly a prime example of crypto’s ‘trustlessness’ ethos, nor is it a paragon of decentralization.
so people sent billions to a multisig to farm points with the promise of a centralised L2 with forked code from OP without fraud proofs
— Cattin☆彡 (@Cattin0x) March 26, 2024
and now some think decentralisation matters to them? lmeow
Read more: Critics decry Blast as the latest sketchy scheme on Ethereum
When Blast was launched, alongside a FOMO-inducing points program, it offered ‘native yield’ on ETH and stablecoins, despite deposits simply going into a multisig wallet while the network itself was being built.
Blast’s status as a mostly experimental sandbox which doesn’t prioritize decentralization as much as other networks led some to believe that using centralized powers to manually revert unsavoury activities should be encouraged in order to make users whole.
But others argue that such a move could be seen as a sign of approval for other centralized rollups (e.g. Optimism and Base) that might be forced to censor their network activity.
This may be a good time to remind you that there’s no difference between Base and Blast pic.twitter.com/Qzx0ZR80Nc
— Eric Wall | OP_😺 (@ercwl) March 27, 2024
The DAO
The debate brought back memories of 2016’s The DAO hack which, incidentally, involved a similar dollar amount lost (3.6M ETH, which would be worth almost $13B today).
Yep, this was my point: back then that dollar amount was a significant portion of the supply and an existential risk to the chain.
— Googly (👀,🫡) (@0xG00gly) March 26, 2024
Nowadays $60m is just another Tuesday in North Korea.
Read more: Ethereum’s Dencun causes ‘Blast’ layer 2 outage
The ‘hard fork’, designed to reverse the damage, resulted in a chain split leading to today’s Ethereum mainnet and the continuation of the pre-fork chain, now known as Ethereum Classic.
Given the frequency at which Ethereum users have been exposed to losses of $60 million and above since then, a hard fork to remedy a hack seems almost unthinkable.