Munchables Developer Returns $62.8M in Ether Post-Exploit

Munchables had announced on March 27 that one of its developers, who was responsible for the recent breach, had returned $62.8M worth of Ether.

This development came after a series of negotiations with the developer, who decided to return the stolen funds and assets without demanding a ransom.

Munchables Collaboration With Blockchain Investigates Yields Recovery

The GameFi platform disclosed in an X post that the identified hacker has cooperated and “shared all the private keys involved to assist in recovering the user funds.” That includes the private key, which holds $62.53M, another linked to 73 Wrapped Ether (WETH), and the owner key that has the remaining funds.

The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.

— Munchables (@_munchables_) March 27, 2024

This recovery was a result of Munchables’ announcement of a breach on its platform on March 26, where it revealed plans to actively track the hacker’s movement in an attempt to intercept transactions.

Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.

— Munchables (@_munchables_) March 26, 2024

Meanwhile, blockchain investigator ZachXBT was quick to respond to the gaming platform distress announcement with the address of the alleged hacker, which had a balance of $62.45M in Ether.

According to DeBank data, the identified wallet address transaction history showed interactions with Munchables protocol at 9:26 am UTC and a movement of 17,413 ETH.

This was followed by a transfer of $10,700 worth of ETH from the hacker’s address through the Orbiter Bridge, with an additional 1 ETH sent to a new wallet address.

ZachXBT claimed that a North Korean developer hired by Munchables, with the alias “Werewolves0943,” perpetuated the theft.

Munchables had also confirmed that the identified hacker was one of its ex-developers and updated users on the situation following an hour of negotiations, during which the hacker agreed to return the stolen funds.

https://x.com/_munchables_/status/1772846122236862789?s=20

In response to the stealing and quick recovery of the funds, the creator of the Ethereum layer-2 blockchain Blast, with the pseudonym Pacman, reiterated that the ex-developer chose to voluntarily return funds without pressing any demands.

He further disclosed that Blast will support the Munchables team to distribute funds back to users freely while warning victims of the hack to be wary of refund scams.

$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…

— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024

Pacman acknowledged and appreciated the important role that ZachXBT played behind the scenes to aid the recovery of funds.

Munchables Breach Threw Questions on Decentralized Networks Ethos

Munchables is a new Blast-based GameFi platform that revolves around NFT creatures. The protocol enables players to stake BlastETH and Blast USD to farm Blast points and get in-game perks as rewards.

In the heat of its breach that led to an eventual theft, crypto community members on X, particularly @OxCygaar, suggested that the Blast team could intervene and return stolen funds since they controlled the bridge contract that holds funds and assets.

Technically, the Blast team could recover the $62m lost in the Munchables exploit since they control the bridge contract that holds the bridged ETH/stETH.

It wouldn't set a good precedent for future exploits/issues, but it is possible.

An invalid state root would need to be…

— cygaar (@0xCygaar) March 26, 2024

To do this, the Blast team would need to force an invalid state root, which would essentially erase the hacked transaction. However, this process would likely require halting the entire chain, which could have significant implications and disrupt operations.

I don't think any rollup has done something like this on mainnet yet but the bridge contracts are upgradeable.

The upgradeability was mostly for any bugs related to fault/validity proving, but a catastrophic exploit might be reasonable enough.

Not a decision for me to make tho

— cygaar (@0xCygaar) March 26, 2024

However, others opposed the idea as it is believed to promote centralized intervention, which runs against the ethos of decentralized networks.

Cinneamhain Ventures partner Adam Cochran noted that it wouldn’t be out of character for Blast to step in and recover funds.

He disagreed with centralized intervention but reiterated that Blast is not a brand of important decentralization chain but a hub for games.

Will be a weird take coming from me, but feels like Blast multisig should roll it back.

While I’m strongly against this action on any other chain, I don’t take Blast as a brand of “serious decentralization chain” but instead as a place for games, experiments, degenry, etc

Given… https://t.co/gCKadY4VJL

— Adam Cochran (adamscochran.eth) (@adamscochran) March 26, 2024

OxCygaar and Cochran’s remarks highlight a debate within the crypto community about the balance between decentralization and user protection in cases of security breaches.