Munchables Retrieves All Funds from Exploiter, Refund in Progress
Munchables has successfully recovered funds previously lost to an exploit and proceeded with refund procedures for users impacted.
According to the latest social media update posted by Munchables, the web3 gaming platform has made a full recovery of the lost funds after the exploiter voluntarily returned the funds, avoiding the need for a ransom.
All user funds are safe, lockdrops will not be enforced, all blast related rewards will be distributed as well. Updates to follow in the coming days. https://t.co/ZukNfTFTWf
— Munchables (@_munchables_) March 27, 2024
The incident unfolded when the exploiter targeted a vulnerability in the game’s contract system. This breach allowed the unauthorized withdrawal of about 17,414 ETH, equating to nearly $62.5 million.
ZachXBT discovered connections between four addresses involved in the Munchables exploit, suggesting they might be the same individual. “Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they recommended each other for the job,” he stated.
He also noted these developers frequently moved funds to identical exchange deposit addresses. To raise awareness, ZachXBT listed the exploiter’s GitHub usernames, signaling the community about these activities.
A vulnerability within the platform smart contract allowed the developer to assign an artificially high balance to their account. By manipulating the upgradeability, the ex-developer was able to bypass the normal transaction validation process.
“$97m has been secured in a multisig by Blast core contributors,” said Blast founder and Blur co-founder Tieshun “Pacman” Roquerre. “Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return
