On Tuesday night, the crypto community witnessed yet another exploit as Munchables, an Ethereum Layer-2 NFT gaming platform, revealed being compromised in a post on X. The attacker managed to steal over $62 million in crypto before a surprising turn of events revealed their identity.
A Crypto Developer Became a Hacker
Yesterday, the Munchables gaming platform, which operates on Blast, experienced a security breach resulting in the theft of 17,400 ETH, equivalent to approximately $62.5 million.
Following an announcement on X, crypto investigator ZachXBT promptly disclosed details regarding the stolen sum and the destination address of the funds.
Subsequent revelations indicated that the crypto theft was an inside job rather than an external attack, with one of the project's developers being implicated.
Solidity developer 0xQuit shared crucial insights on X regarding Munchables, highlighting that the smart contract was an "extremely upgradable proxy with an unverified implementation contract."
The exploit appeared to be relatively straightforward, involving a request to the contract for the stolen funds. However, it necessitated the attacker to have authorized access, confirming that the heist was orchestrated from within the project.
Following a thorough investigation, 0xQuit determined that the attack had been meticulously planned from the moment of deployment. Munchables' developer exploited the contract's upgradability to allocate a substantial ether balance to themselves before switching to an implementation contract that seemed legitimate.
Subsequently, the developer effortlessly withdrew the balance once the total value locked (TVL) reached a significant level. Data from DeFiLlama indicates that before the exploit, Munchables boasted a TVL of $96.16 million. As of the latest update, the TVL has drastically declined to $34.05 million.
A Change in Mindset or A Fear of The Crypto Community?
Unfortunately, occurrences of crypto exploits, hacks, and scams are prevalent in the industry. Typically, hackers abscond with substantial sums, leaving investors empty-handed. However, this particular incident took an unexpected turn when the identity of the developer-turned-hacker was revealed, unraveling a web of deceit and deception. As hinted by ZachXBT, the rogue developer behind Munchables was allegedly North Korean and potentially linked to the Lazarus group.
However, the story doesn't conclude there: the blockchain investigator uncovered that four distinct developers contracted by Munchables' team were connected to the exploiter, indicating that they might all be the same individual.
March 2024, Cryptonitauae