March 28, 2024
Analysis of Blast DeFi Project Munchables Hack
On March 27, 2022, according to monitoring by the Beosin KYT anti-money laundering analysis platform, the Blast ecological Web3 game platform Munchables suffered a hacker attack. The hacker made a profit of approximately 17,413.96 ETH and lost over $62 million.
It is understood that Munchables is a Blast Big Bang award-winning project, and it has recently announced the completion of a Pre-Seed round of financing co-led by Manifold and Mechanism Capital.
After Munchables announced the attack, its TVL dropped significantly from $96 million to more than $34 million. Regarding this incident, the Beosin security team conducted an analysis immediately.
● Attack transactions
https://blastexplorer.io/tx/0x3d08f2fcfe51cf5758f4e9ba057c51543b0ff386ba53e0b4f267850871b88170
https://blastexplorer.io/tx/0x9a7e4d16ed15b0367b8ad677eaf1db6a2a54663610696d69e1b4aa1a08f55c95
● Attacker address: 0x6e8836f050a315611208a5cd7e228701563d09c5
● Contract under attack: 0x29958e8e4d8a9899cf1a0aba5883dbc7699a5e1f
Vulnerability analysis
Previously, on-chain detective ZachXBT investigated the cause of the attack and said that Munchables was stolen or because North Korean hackers disguised as developers were hired.
ZachXBT said: “Four different developers employed by the Munchables team are related to the exploiter and are likely the same person. They recommended each other for work, regularly transferred funds to the same two exchange deposit addresses, and contributed to each other’s wallets. top up."
After analysis by the Beosin security team, it was found that this attack was mainly caused by the North Korean hacker developer contract using the contract upgrade function to set up its own mortgage ledger in advance, and then after the contract accumulated funds, the ETH in the contract was withdrawn by calling the unlock function.
Attack process
Attack preparation phase:
The hacker developer pre-created the implementation contract 0x910fFc04A3006007A453E5dD325BABe1e1fc4511 containing the backdoor and pre-set the hacker's own mortgage ledger to a maximum value.
Attack phase:
The attacker calls the unlock function to withdraw ETH. Since the hacker has already set up the mortgage ledger during the attack preparation stage, the check is easily bypassed.
After the theft, Munchables further explained its previous announcement of shared private keys on social media, stating that the purpose of sharing private keys was to assist security personnel in recovering user funds. Specifically, it contains the private key that holds $62,535,441.24 in crypto assets, the private key that holds 73 WETH, and the owner’s private key that holds the remaining funds.
While the project team and users were anxious, at 14:00 pm Beijing time, the Munchables attacker returned all 17,000 ETH to a multi-signature wallet.
As of the time of publication, the stolen funds have been returned and sent to the multi-signed contract.
Half an hour later, Blast founder Pacman announced on the Currently worth $96 million). Thanks to the former Munchables developer who chose to finally return all funds without any ransom. Munchables also retweeted the announcement saying: "All user funds are safe, no locks will be enforced, and all Blast-related rewards will be distributed. Updates will be made in the coming days."
At the same time, Juice, which was previously affected by the Munchables attack, also announced the safety of its funds. All its wETH has been retrieved from the Munchables developers. Juice is coordinating with Pacman and Blast to transfer wETH back to Juice so that users can withdraw funds.
The twists and turns of the whole incident are surprising. Although we still don’t know the reason why the hacker returned the funds, this experience has once again sounded the alarm for security and made us deeply aware of the importance of security.
As one of the first blockchain security companies in the world to engage in formal verification, Beosin focuses on the "security + compliance" solution. It has offices in 10+ countries and regions and provides "All-in-One" blockchain compliance products + security services covering Smart Contract Audit, On-chain Risk Monitoring & Blocking, Crypto Tracing, Virtual Asset Anti-money Laundering (AML), and Compliance Assessments to meet regulatory requirements.
Related Project
Related Project Secure Score
Guess you like
The outbreak of BOME! Analysis of the MEV issues behind Solana meme season
March 22, 2024
2024 Q1 Global Web3 Security Report, AML Analysis & Crypto Regulatory Landscape
April 01, 2024
Beosin launches a new security + compliance solution to protect the Bitcoin ecosystem
April 22, 2024
Beosin KYT now supports Solana, providing security + compliance services for the Solana ecosystem
April 25, 2024