Blast dapp hack was an inside job, and it could have been worse

Munchables, a GameFi project built on Blast, reported late Tuesday that it was “compromised” to the tune of $62 million.

A further $25 million was spared in a related vault of Juice Finance due to an apparent typo.

By blacklisting the hacker’s address, the network was able to seal off the funds, and convince the attacker to give up the controlling private keys.

And that’s not all that’s unusual.

On-chain evidence provided by investigator ZachXBT indicates that the culprit went by a variety of pseudonyms.

“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person,” he wrote on X following the incident.

Users of Juice Finance, which designed a vault and bot system to play the game and earn valuable points at an accelerated rate, were also at risk, according to Chief Operating Officer Eric Ryklin.

The Juice team independently reviewed Munchables’ code, a prerequisite for launching its own product.

“The malicious exploit was not in their code,” Ryklin told Blockworks. “Nor is it in their actual audit itself.”

“This guy pushed an upgrade that no one could have seen — it was unverified — and it essentially gave him three wallets that had unlimited access to withdraw funds, plus he had the keys to the upgrader and the main deployer wallet,” he said.

Read more: Latest DeFi exploits show audits are no guarantee

Juice and Munchables shared several investors, and both teams were in touch with each other regularly in the runup to the theft, Ryklin said. The malicious actor, who worked for Munchables, was a member of a group chat that included the Juice team.

“They met this guy in a developer Discord somewhere across the space,” Ryklin recalled, and after the hack it emerged that the team was not the actual owner of their contracts.

“Someone from their HR team messed up big time,” blockchain security firm SlowMist said on X.

Ryklin described it as a “sleeper cell,” and ZachXBT pointed to North Korean hackers as likely responsible.

“This guy inserted three sleeper wallets into the actual contract that no one could find at first,” Ryklin said. “But the second that he would do a transaction, that sleeper wallet would become public, so the Blast sequencer could essentially blacklist him.”

ZachXBT declined to comment on how he arrived at that conclusion.

A spokesperson for security firm CertiK told Blockworks “it’s highly unusual that the funds were then returned to the project from a malicious DPRK affiliated worker” — referring to agents of the North Korean government — and that the firm assessed it could be “a rogue developer,” who, with their identity revealed, “decided to give the funds back after pressure from the Web3 community to prevent further backlash.”

“Obviously, seeing the funds returned is abnormal behavior,” ZachXBT told Blockworks.

In any case, quickly recognizing those wallets proved crucial to securing the return of the stolen funds.

Loading Tweet..

With the jig up, and no way to exfiltrate the funds, the attacker made it easier on the Blast team by handing over their private keys.

That avoided the need to employ more technical solutions.

“Blast could have definitely pushed a soft fork to literally just blacklist his wallet and pull the money out,” Ryklin said, “I think at that point, it’s like, ‘Why would he not give the keys back?’”

The hacker was not able to take 7349.99 wrapped ether, worth about $25 million at the time, as a result of an apparent typo. It was what Juice’s auditor, Trust Security, called “one of the weirdest side stories of the Munchables exploit.”

Instead of snatching all the wrapped ether, the attacker took just 73.49 wETH (about $267,000).

“The hacker was off by two 0s when inputting the amount! It is easy to confirm in a simulation that they could have indeed taken the whole vault,” Trust said. “It must have taken the hacker over eight minutes to realize their mistake, which is when the team paused withdrawals.”

CertiK confirmed to Blockworks this was the most plausible explanation for the data.

None of Juice’s other vaults or its own smart contracts were affected, the team said.

The hacker also missed the chance to grab an additional $7 million in USDB, Blast’s interest bearing stablecoin, which was secured before it could be stolen, Ryklin said.

“The bridges got closed, so the money was contained,” he said.

That meant that, unlike in other hacking cases, the thief had no leverage. The fact that Blast has multiple centralized components meant that there would be no chance to try to launder the proceeds.

That may trouble some “decentralization maxis,” but Ryklin finds it completely normal at this stage of the network’s development.

“I think the reason that you were able to successfully recover $97 million instead of everyone losing their money is because there are guardrails in place, and I don’t think those are the worst things in the world,” he said.