This week, one of the most surprising exploits of the year happened, the Munchables hack on Blast. Today, we discuss the full story from start to finish. We got to experience this on a front-row seat, because this 63 Million dollar hack, had about 5 ETH from us in it!
What are Munchables?
The Munchabes are an NFT project built on Blast Layer 2. In short, you would lock up some ETH for a period of 30 to 90 days to receive a few NFTs, which you could feed so-called Schnibbles to level them up.
After the lock-up period, you would be able to claim your ETH back and keep the NFTs. But this story never got that far.
While you had your ETH locked up, you would also earn Blast Points and Blast gold, which made it a good project to list as an Airdrop on our site.
The project won the fierce Blast completion, making it stand out among the hundreds of new projects launching. On top of that, the smart contract was supposedly audited. And it got endorsements and investments from the “smart” influencers on crypto Twitter. To name a few guys, Dingaling, Cirrus and CBB all put in a serious amount of ETH or bUSD.
It all looked like a great project and a slam dunk to farm some blast points and gold. As we mentioned above, we liked this project so much that we even locked up 5 ETH ourselves.
The Munchables Hack
Only a few days in, the project was suddenly exploited and the hacker was able to withdraw a mind-blowing 17400 ETH.
According to 0xQuit, it wasn’t that difficult to do either.
Not long after the money was stolen, it came to light that the exploiter was actually a rogue developer. He built the contract and left in a leak to steal the funds. He waited a few days for everyone to put their ETH in the contract just to take it out.
On X, people are claiming the hacker is from North Korea.
What Happened Next
All hands on deck! The Blast ecosystem, including Blast/Blur founder PACman and other projects like Juice Finance started helping to retrieve the funds.
They closed all bridges out of Blast. To make sure the funds could not leave the ecosystem. Rumors started about “rolling” back the chain in a style similar to the Ethereum DAO hack, which resulted in the hard fork with Ethereum Classic. In short, this would mean they “hard fork” the Blast chain to a point before the Munchables hack and use that new chain as the main. Meaning anything that happened during and after the hack would be erased. This “rollback” idea received some pushback from the community, as it would recover the funds but would not be a decentralized matter.
Even our favorite on-chain detective ZachXBT got involved, and he showed some serious passion for finding the hacker
Funds Returned
To everyone’s surprise, the hacker returned the funds to the Munchanbles project by handing over the private keys of his wallet.
Why, you may ask?
Rumors have it, that the hacker is indeed North Korean, but lives in Argentina. As he worked for the Munchables team, they may have information that could lead to his true identity. ZachXBT played a part in this as well.
With all bridges out of Blast closed, the hacker could not get the funds. And with PACman involved in either rolling back the chain or somehow freezing his funds the likelihood of the hacker ever getting a single penny became slimmer every minute. All while he is risking to be doxxed and therefor reported to the local authorities. So the hacker did the only thing he thought he could do: return the ETH.
The funds are currently with the Munchables team, and the victims (including us) are waiting for the ETH to return to our wallets. Holy guacamoly, did we luck out here!
We don’t need to claim anything, it will simply be airdropped back. Hopefully one of these days.
Final Thoughts
There you have it. The full story of the Munchables hack, straight from the perspective of one of the victims. This goes to show, even if a project looks safe, it never really is. You should always be careful, do your own research, and make sure not to invest your life savings. Anything can happen, especially when you play around with new protocols or layer 2’s. This time it ended well, but most often the hacker sails off into the sunset with your funds. Stay Safe.
If you enjoy our content, you can support us by signing up for a Bybit Account with our referral link. Don’t forget to claim your bonuses if you buy/sell or trade crypto.
Learn more about 7 Ordinal metas you should study for that thriving niche in NFTs.
