Key Takeaways
- Last week, Munchables was exploited for 17,400 ETH worth around $60 million.
- The theft turned out to be an inside job, but the developer behind the exploit opted to return everything.
- Going forward, Munchables’ backers will oversee developer hiring.
Last week, a rogue developer drained over 17,400 ETH from Munchables – a new NFT game built on Blast.
Luckily, the thief agreed to return the stolen funds without demanding a ransom. But the Munchables team has learned some important lessons about Web3 security.
Munchables Exploit Highlights Security Shortcomings
Prior to last week’s incident, Munchables appears to have not implemented even the most basic measures to secure deposits.
To sum up what happened, Munchables used a lock contract that was meant to ensure users could only withdraw the same amount they put in. However, the developer hired to write the contract assigned themselves a balance of 1,000,000 ETH before upgrading the contract to one that looked legitimate.
https://twitter.com/0xQuit/status/1772764460647846273
The incident highlights the importance of implementing protocols to ensure that no single party can manipulate contracts. Accordingly, the project is now completely restructuring its contract management system to ensure the same thing doesn’t happen again.
ZachXBT Comes on Board as Multisig Signer
From a security perspective, the fact that a single developer was able to exploit Munchables’ smart contracts without raising any red flags is extremely concerning.
While contract upgradability isn’t necessarily a bad thing, it introduces vulnerabilities that Web3 projects need to be aware of.
In the wake of last week’s events, the Munchables team has onboarded ManifoldTrading and Selini Capital (both venture capital firms that have backed the project) as third-party signatories to a new multi-signature contract that will be responsible for returning users’ funds. The crypto sleuth and Web3 security advocate ZachXBT will join temporarily as a fourth signer.
Web3 Game Seeks a Fresh Start
According to its official channels, Munchables has now “restructured the team completely.”
As the project seeks a fresh start, Manifold and Selini will be responsible for re-auditing and upgrading to new contracts. They will also oversee the developer hiring process going forward.
James Morales is CCN’s blockchain and crypto policy reporter. He has been working in the news media since 2020, writing about topics such as payments, banking and financial technology. These days, he likes to explore the latest blockchain innovations and the evolving landscape of global crypto regulation.
With an educational background in social anthropology and media studies, James uses his platform as a journalist to explore how new technologies work, why they matter and how they might shape our future.
