Web3 Game Munchables Loses $62.5 Million to Exploit: ZachXBT

News Room
By News Room 4 Min Read

Last updated:

| 1 min read

The web3 gaming platform Munchables experienced a significant security breach, losing $62.5 million in Ethereum due to an exploit on the Blast network.

Munchables confirmed the exploit through a post on social media, stating the loss occurred on March 26. “Munchables has been compromised,” said Munchables. “We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.”

Investigation Suggests Potential Link to Munchables Insider


According to ZachXBT, the crypto “detective,” the exploiter extracted nearly 17,414 ETH with a total value of $62.5 million as indicated by Blastscan.

ZachXBT then made some more digging and discovered that the exploit could be initiated by a Munchables employee, since they have been recruited as four developers.

“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they recommended each other for the job,” said ZachXBT.

The suspect also “regularly transferred payments to the same two exchange deposit addresses” and “funded each others wallets.” ZachXBT included the alleged exploiter’s GitHub usernames in the post, alerting the community.

Exploit Rooted in Upgrade Manipulation


Solidity developer 0xQuit revealed in a post that the exploit was premeditated, highlighting that a developer had modified the Lock contract to a new version just before the game’s release. This contract is designed to secure tokens for a set period.

“The Munchables exploit has been planned since deploy,” said 0xQuit, stating that the platform is a “dangerously upgradeable proxy.” The exploiter was able to abuse the upgrade and implementation to assign themselves 1 million ETH so they could withdraw the deposit.

“If you never knew about the original implementation, the contract would look just fine,” explained 0xQuit. “Even if the dev had transferred ownership back to the team, the damage was done,” the author added, discouraging upgradeability.

Responding to the devastating incident, the team has announced to provide all relevant private keys to aid in the retrieval of user funds. This includes the key associated with $62,535,441.24 USD, another holding 73 WETH, and the owner key that secures the remaining funds.



Read the full article here

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *