Munchables Retrieves All Funds from Exploiter, Refund in Progress
Munchables has successfully recovered funds previously lost to an exploit and proceeded with refund procedures for users impacted.
According to the latest social media update posted by Munchables, the web3 gaming platform has made a full recovery of the lost funds after the exploiter voluntarily returned the funds, avoiding the need for a ransom.
All user funds are safe, lockdrops will not be enforced, all blast related rewards will be distributed as well. Updates to follow in the coming days. https://t.co/ZukNfTFTWf
— Munchables (@_munchables_) March 27, 2024
Munchables Loses $62.5 Million in Exploit
The incident unfolded when the exploiter targeted a vulnerability in the game’s contract system. This breach allowed the unauthorized withdrawal of about 17,414 ETH, equating to nearly $62.5 million.
ZachXBT discovered connections between four addresses involved in the Munchables exploit, suggesting they might be the same individual. “Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they recommended each other for the job,” he stated.
He also noted these developers frequently moved funds to identical exchange deposit addresses. To raise awareness, ZachXBT listed the exploiter’s GitHub usernames, signaling the community about these activities.
A vulnerability within the platform smart contract allowed the developer to assign an artificially high balance to their account. By manipulating the upgradeability, the ex-developer was able to bypass the normal transaction validation process.
Refund Underway for Impacted Users
“$97m has been secured in a multisig by Blast core contributors,” said Blast founder and Blur co-founder Tieshun “Pacman” Roquerre. “Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required.”
Replying to Roquerre’s post, Munchables stated that “All user funds are safe, lockdrops will not be enforced, all blast related rewards will be distributed as well.”
The platform followed up with the refund plan, claiming that a compensatory treasury pool has been allocated for the users who had Ethereum so they could start claiming their deposits.
We’ve allocated a compensatory treasury pool for all users who had ETH Deposited to re-claim their funds.
All users must re-claim deposited funds within the next 48 hours.
Proceed Here ⤵️https://t.co/6L1ntk3P4V pic.twitter.com/idOGJRPizu
— Northern Girl (@girrl_north) March 27, 2024
“Connect your wallet and complete verification process…All users must re-claim deposited funds within the next 48 hours,” said Munchables. “Don’t panic.”