Analysis of Blast DeFi Project Munchables Hack

On March 27, 2022, according to monitoring by the Beosin KYT anti-money laundering analysis platform, the Blast ecological Web3 game platform Munchables suffered a hacker attack. The hacker made a profit of approximately 17,413.96 ETH and lost over $62 million.

It is understood that Munchables is a Blast Big Bang award-winning project, and it has recently announced the completion of a Pre-Seed round of financing co-led by Manifold and Mechanism Capital.

After Munchables announced the attack, its TVL dropped significantly from $96 million to more than $34 million. Regarding this incident, the Beosin security team conducted an analysis immediately.

● Attack transactions

https://blastexplorer.io/tx/0x3d08f2fcfe51cf5758f4e9ba057c51543b0ff386ba53e0b4f267850871b88170

https://blastexplorer.io/tx/0x9a7e4d16ed15b0367b8ad677eaf1db6a2a54663610696d69e1b4aa1a08f55c95

● Attacker address: 0x6e8836f050a315611208a5cd7e228701563d09c5

● Contract under attack: 0x29958e8e4d8a9899cf1a0aba5883dbc7699a5e1f

Vulnerability analysis

Previously, on-chain detective ZachXBT investigated the cause of the attack and said that Munchables was stolen or because North Korean hackers disguised as developers were hired.

ZachXBT said: “Four different developers employed by the Munchables team are related to the exploiter and are likely the same person. They recommended each other for work, regularly transferred funds to the same two exchange deposit addresses, and contributed to each other’s wallets. top up."

After analysis by the Beosin security team, it was found that this attack was mainly caused by the North Korean hacker developer contract using the contract upgrade function to set up its own mortgage ledger in advance, and then after the contract accumulated funds, the ETH in the contract was withdrawn by calling the unlock function.

Attack process

Attack preparation phase:

The hacker developer pre-created the implementation contract 0x910fFc04A3006007A453E5dD325BABe1e1fc4511 containing the backdoor and pre-set the hacker's own mortgage ledger to a maximum value.

Attack phase:

The attacker calls the unlock function to withdraw ETH. Since the hacker has already set up the mortgage ledger during the attack preparation stage, the check is easily bypassed.

After the theft, Munchables further explained its previous announcement of shared private keys on social media, stating that the purpose of sharing private keys was to assist security personnel in recovering user funds. Specifically, it contains the private key that holds $62,535,441.24 in crypto assets, the private key that holds 73 WETH, and the owner’s private key that holds the remaining funds.

While the project team and users were anxious, at 14:00 pm Beijing time, the Munchables attacker returned all 17,000 ETH to a multi-signature wallet.

As of the time of publication, the stolen funds have been returned and sent to the multi-signed contract.

Half an hour later, Blast founder Pacman announced on the Currently worth $96 million). Thanks to the former Munchables developer who chose to finally return all funds without any ransom. Munchables also retweeted the announcement saying: "All user funds are safe, no locks will be enforced, and all Blast-related rewards will be distributed. Updates will be made in the coming days."

At the same time, Juice, which was previously affected by the Munchables attack, also announced the safety of its funds. All its wETH has been retrieved from the Munchables developers. Juice is coordinating with Pacman and Blast to transfer wETH back to Juice so that users can withdraw funds.

The twists and turns of the whole incident are surprising. Although we still don’t know the reason why the hacker returned the funds, this experience has once again sounded the alarm for security and made us deeply aware of the importance of security.

As one of the first blockchain security companies in the world to engage in formal verification, Beosin focuses on the "security + compliance" solution. It has offices in 10+ countries and regions and provides "All-in-One" blockchain compliance products + security services covering Smart Contract Audit, On-chain Risk Monitoring & Blocking, Crypto Tracing, Virtual Asset Anti-money Laundering (AML), and Compliance Assessments to meet regulatory requirements.