Munchables, a GameFi venture developed on Blast, recently announced a loss of $62 million due to being hacked. An additional $25 million was safeguarded in a connected vault of Juice Finance because of an apparent typographical error.
By placing the address of the hacker on a blacklist, the network managed to isolate the funds and persuade the attacker to relinquish control of the private keys. However, there are other peculiarities, as on-chain evidence presented by investigator ZachXBT suggests that the perpetrator used various pseudonyms.
An Evil Within
ZachXBT noted on X that four different developers hired by the Munchables team and linked to the exploiter are likely all the same individual, following the incident. Juice Finance users, who utilized a vault and bot system designed to engage in the game and earn valuable points swiftly, were also vulnerable, according to Chief Operating Officer Eric Ryklin.
Juice Finance independently assessed the Munchables code before launching its own product. Ryklin stated that the malicious exploit was not found in their code, nor in their actual audit, before further claiming that this individual implemented an upgrade that went unnoticed and unverified. Doing so essentially granted the individual access to three wallets with unlimited withdrawal capabilities, in addition to possessing the keys to the upgrader and the main deployer wallet, he explained.
Damage Control
Juice and Munchables had shared investors, and both teams maintained regular communication leading up to the theft, Ryklin revealed. The malevolent actor, who was employed by Munchables, was part of a group chat that included the Juice team. Ryklin recollected that they encountered this individual in a developer Discord within the community, and it later transpired post-hack that the team did not own their contracts.
The hacker reportedly inserted three sleeper wallets into the actual contract that went unnoticed initially, Ryklin stated. However, the moment he initiated a transaction, that sleeper wallet would become public, enabling the Blast sequencer to blacklist him. A spokesperson for security firm CertiK stated it was highly unusual that the funds were then returned to the project through a malicious DPRK-affiliated worker, referring to agents of the North Korean government. They assessed it could be a rogue developer who, upon their identity being revealed, decided to return the funds after pressure by the Web3 community to prevent further backlash.