The gaming Web3 platform Munchables, built on the Ethereum Layer 2 solution Blast, suffered a loss of $97 million due to an exploit. The hacker returned the funds unconditionally.
$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…
— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024
On March 26, the team reported the incident. Munchables stated they were tracking the movement of funds and attempting to halt transactions.
Renowned on-chain researcher ZachXBT identified the hacker’s wallet, which held 17,400 ETH ($62.5 million). The expert suggested the perpetrator was a North Korean developer hired by the project, posing as four different individuals.
Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they:
>recommended each other for the job
>regularly transferred payments to the same two exchange deposit addresses >funded each others walletsGithub Username… https://t.co/Q0scxp6AxK pic.twitter.com/Pjjo4uKXPE
— ZachXBT (@zachxbt) March 27, 2024
On March 27, the Munchables team announced that the developer agreed to return access to all withdrawn funds. According to the statement, he provided private keys to addresses containing $62.5 million, 73 WETH, and other assets.
The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.
— Munchables (@_munchables_) March 27, 2024
According to Pacman, the founder of the NFT marketplace Blur and the Blast project, the network’s developers received all coins worth $97 million into a multisig wallet. The hacker allegedly returned them without any reward.
“It is important for all development teams, whether directly affected or not, to learn from this and take precautions to approach security more diligently,” the entrepreneur emphasized.
Back in the early days of Blast, the first rug pull occurred even before the mainnet launch — the founders of the gaming platform RiskOnBlast withdrew 420 ETH ($1.25 million at the time).