{"id":9349,"date":"2024-03-28T01:08:46","date_gmt":"2024-03-28T01:08:46","guid":{"rendered":"https:\/\/www.bitrabo.com\/discover\/change-of-heart-gaming-platform-security-breach-ends-with-62m-in-crypto-returned\/"},"modified":"2024-03-28T01:08:46","modified_gmt":"2024-03-28T01:08:46","slug":"change-of-heart-gaming-platform-security-breach-ends-with-62m-in-crypto-returned","status":"publish","type":"post","link":"https:\/\/www.bitrabo.com\/discover\/change-of-heart-gaming-platform-security-breach-ends-with-62m-in-crypto-returned\/","title":{"rendered":"Change Of Heart? Gaming Platform Security Breach Ends With $62M In Crypto Returned"},"content":{"rendered":"

In the late hours of Tuesday, the crypto community saw another exploit. Munchables, the Ethereum Layer-2 NFT gaming platform, reported being compromised on an X post.<\/p>\n

The crypto heist, which momentarily stole over $62 million, took a shocking turn of events after the attacker\u2019s identity opened a Pandora\u2019s box.<\/p>\n

<\/span>Crypto Developer Turns Hacker<\/span><\/h2>\n

Yesterday, Munchables, a gaming platform powered by Blast, suffered a security breach that resulted in the theft of 17,400 ETH, worth around $62.5 million. Immediately after the X announcement, crypto detective ZachXBT revealed the sum stolen and the address where the funds had been sent.<\/p>\n

It was later informed that the crypto heist had been an inside job instead of an external one, as one of the project\u2019s developers seemed to be responsible.<\/p>\n

Solidity developer 0xQuit shared on X concerning information about Munchable. The developer pointed out that the smart contract was a \u201cdangerously upgradeable proxy with an unverified implementation contract.\u201d<\/p>\n

\n

the Munchables exploit has been planned since deploy.<\/p>\n

Munchables is a dangerously upgradeable proxy, and it has been upgraded.<\/p>\n

Instead of upgrading from a benign implementation to a malicious one, they did the reverse here<\/p>\n

1\/<\/p>\n

— quit.q00t.eth (\"👀\",\"🦄\") (@0xQuit) March 26, 2024<\/a><\/p>\n<\/blockquote>\n

The exploit seemingly wasn\u2019t \u201cnothing complex\u201d as it consisted of asking the contract for the stolen funds. However, it required the attacker to be an authorized party, confirming that the heist was a scheme carried out inside the project.<\/p>\n

After a deep dive into the matter, 0xQuit concluded that the attack had been plotted since deployment. Munchable\u2019s developer used the contract’s upgradable nature to \u201cassign himself an enormous ether balance before changing the contract implementation to one that appeared legit.\u201d<\/p>\n

The developer \u201csimply withdrew the balance\u201d when the total value locked (TVL) was high enough. DeFiLlama data shows that, before the exploit, Munchables had a TLV of $96.16 million. At writing time, the TVL has plummeted to $34.05 million.<\/p>\n

As reported by BlockSec, the funds were sent to a multi-sig wallet. The attacker eventually shared all private keys with the Munchables team. The keys gave access to $62.5 million in ETH, 73 WETH, and the owner key, which contained the rest of the project\u2019s funds. According to Solidity developer\u2019s calculations, the total amount neared $100 million.<\/p>\n

\n

The fund is currently in a multisig wallet 0x4D2F75F1cF76C8689b4FDdCF4744A22943c6048C, with the threshold 2\/3. Owners are 0xFfE8d74881C29A9942C9D7f7F55aa0d8049C304A, 0xe0C5B8341A0453177F5b0Ec2fcEDc57f6E2112Bc, 0x94103f5554D15F95d9c3A8Fa05A9c79c62eDBD6f <\/a><\/p>\n

— BlockSec (@BlockSecTeam) March 27, 2024<\/a><\/p>\n<\/blockquote>\n

<\/span>Change Of Heart Or Fear Of The Crypto Community?<\/span><\/h2>\n

Unfortunately, crypto exploits, hacks, and scams are common in the industry. Most play out similarly, with hackers taking massive sums and investors looking at their empty pockets.<\/p>\n

This time, the incident turned out more thrilling than usual, as the identity of the developer-turned-hacker untangled a web of lies and deception. As ZachXBT suggested, Munchable\u2019s rogue developer was North Korean, seemingly tied to the Lazarus group.<\/p>\n

However, the movie doesn\u2019t end there: the blockchain investigator revealed<\/a> that four different developers hired by Munchables\u2019 team were linked to the exploiter, and it seemed like they were all the same person.<\/p>\n

\n

the developers pic.twitter.com\/AYMbwduiLS<\/a><\/p>\n

— a1ex (@a1exxxxxxxxxxx) March 27, 2024<\/a><\/p>\n<\/blockquote>\n

These developers recommended each other for the job and regularly transferred payments to the same two exchange deposit addresses, funding each other wallets. Journalist Laura Shin suggested the possibility of the developers not being the same person but different people working for the same entity, North Korea\u2019s government.<\/p>\n

Pixelcraft Studios CEO added<\/a> that he had done a trial hire with this developer in 2022. During the month the ex-Munchables developer worked for them, he exhibited practices \u201csketchy af.\u201d<\/p>\n

The CEO believes that the North Korean link is possible. Additionally, he revealed that the MO was similar back then, as the developer tried to get \u201chis friend\u201d hired.<\/p>\n

An X user highlighted that the developer\u2019s GitHub name was \u201cgrudev325,\u201d pointing out that \u201cgru\u201d could be related to Russia\u2019s Federal Agency for Foreign Military Intelligence.<\/p>\n

Pixelcrafts\u2019s CEO commented that, at the time, the developer explained that the nickname was born after his love for the character Gru from the Despicable Me movies. Ironically, the character in question is a supervillain who spends most of the movie trying to steal the moon.<\/p>\n

\n

didn't even know that was a thing lmeow, this is how he explained it @zachxbt<\/a> pic.twitter.com\/jTMj62GGb2<\/a><\/p>\n

— coderdan.eth | aavegotchi \"👻\"\"💊\" (@coderdannn) March 27, 2024<\/a><\/p>\n<\/blockquote>\n

Whether he was trying to steal the moon and failed like Gru, the developer ultimately returned the funds without asking for \u201ccompensation.\u201d Many users believe that the suspicious \u201cchange of heart\u201d results from ZackXBT\u2019s deep dive into the attacker\u2019s web of lies and the threats made.<\/p>\n

This thriller ends with the crypto investigator\u2019s reply to a now-deleted post. In his reply, the detective threatened<\/a> to destroy the developer and all his \u201cother North Korean devs hard on-chain your country has another blackout.\u201d<\/p>\n

\"Ethereum,<\/p>\n