Bitcoin 
Ethereum 
Tether 
BNB 
Solana 
USDC 
Lido Staked Ether 
XRP 
Dogecoin 
Toncoin 
Cardano 
Shiba Inu 
Avalanche 
TRON 
Wrapped Bitcoin 
Bitcoin Cash 
Polkadot 
Chainlink 
NEAR Protocol 
Polygon 
Litecoin 
Internet Computer 
Uniswap 
LEO Token 
Dai 
First Digital USD 
Ethereum Classic 
Hedera 
Aptos 
Stacks 
Mantle 
Cronos 
Stellar 
Cosmos Hub 
OKB 
Filecoin 
Renzo Restaked ETH 
Render 
Immutable 
XT.com 
Pepe 
VeChain 
Bittensor 
Arbitrum 
Maker 
dogwifhat 
Kaspa 
Wrapped eETH 
The Graph 
Optimism 
Ethena USDe 
Injective 
Theta Network 
Monero 
Fetch.ai 
Arweave 
Core 
Fantom 
Celestia 
Rocket Pool ETH 
Lido DAO 
THORChain 
FLOKI 
Bitget Token 
Bonk 
Algorand 
GALA 
Sei 
Zebec Protocol 
Sui 
Mantle Staked Ether 
Quant 
WhiteBIT Coin 
Beam 
Jupiter 
Flow 
Aave 
Bitcoin SV 
BitTorrent 
NEO 
ether.fi Staked ETH 
Flare 
Ethena 
SingularityNET 
MultiversX 
Ondo 
dYdX 
Tokenize Xchange 
Axie Infinity 
Gate 
Wormhole 
Akash Network 
The Sandbox 
Ribbon Finance 
eCash 
Chiliz 
Tezos 
KuCoin 
EOS 
Safe 
Synthetix Network 
Worldcoin 
Conflux 
Cheelee 
Mina Protocol 
Ronin 
ORDI 
JasmyCoin 
Pyth Network 
Gnosis 
Decentraland 
Marinade staked SOL 
Starknet 
Kelp DAO Restaked ETH 
ApeCoin 
Kava 
IOTA 
Nervos Network 
Axelar 
USDD 
PancakeSwap 
DeXe 
Theta Fuel 
Klaytn 
NEXO 
Swell Ethereum 
Oasis Network 
AIOZ Network 
Helium 
dYdX 
Echelon Prime 
Frax 
Frax Ether 
Lido Staked SOL 
Blur 
Dymension 
Terra Luna Classic 
Fasttoken 
Venom 
Osmosis 
Illuvium 
SATS (Ordinals) 
Bitcoin Gold 
Tether Gold 
Coinbase Wrapped Staked ETH 
WEMIX 
Aerodrome Finance 
Golem 
Astar 
WOO 
MANTRA 
IoTeX 
Ocean Protocol 
CorgiAI 
Pendle 
Radix 
BOOK OF MEME 
Curve DAO 
TrueUSD 
Ankr Network 
1inch 
Staked Frax Ether 
MX 
AltLayer 
APENFT 
XDC Network 
Galxe 
Ethereum Name Service 
aelf 
Enjin Coin 
GMT 
Memecoin 
Zilliqa 
SKALE 
Livepeer 
Ravencoin 
Rocket Pool 
PAX Gold 
Celo 
Manta Network 
Holo 
Trust Wallet 
0x Protocol 
Arkham 
Polymesh 
cat in a dogs world 
Terra 
Siacoin 
SuperVerse 
Qtum 
EthereumPoW 
Amp 
Raydium 
Stader ETHx 
Ether.fi 
Basic Attention 
Compound 
cETH 
Popcat 
Jito 
blockworks.co 2 h
Munchables, a GameFi project built on Blast, reported late Tuesday that it was “compromised” to the tune of $62 million.
A further $25 million was spared in a related vault of Juice Finance due to an apparent typo.
By blacklisting the hacker’s address, the network was able to seal off the funds, and convince the attacker to give up the controlling private keys.
And that’s not all that’s unusual.
On-chain evidence provided by investigator ZachXBT indicates that the culprit went by a variety of pseudonyms.
“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person,” he wrote on X following the incident.
Users of Juice Finance, which designed a vault and bot system to play the game and earn valuable points at an accelerated rate, were also at risk, according to Chief Operating Officer Eric Ryklin.
The Juice team independently reviewed Munchables’ code, a prerequisite for launching its own product.
“The malicious exploit was not in their code,” Ryklin told Blockworks. “Nor is it in their actual audit itself.”
“This guy pushed an upgrade that no one could have seen — it was unverified — and it essentially gave him three wallets that had unlimited access to withdraw funds, plus he had the keys to the upgrader and the main deployer wallet,” he said.
Read more: Latest DeFi exploits show audits are no guarantee
Juice and Munchables shared several investors, and both teams were in touch with each other regularly in the runup to the theft, Ryklin said. The malicious actor, who worked for Munchables, was a member of a group chat that included the Juice team.
“They met this guy in a developer Discord somewhere across the space,” Ryklin recalled, and after the hack it emerged that the team was not the actual owner of their contracts.
“Someone from their HR team messed up big time,” blockchain security firm SlowMist said on X.
Ryklin described it as a “sleeper cell,” and ZachXBT pointed to North Korean hackers as likely responsible.
“This guy inserted three sleeper wallets into the actual contract that no one could find at first,” Ryklin said. “But the second that he would do a transaction, that sleeper wallet would become public, so the Blast sequencer could essentially blacklist him.”
ZachXBT declined to comment on how he arrived at that conclusion.
A spokesperson for security firm CertiK told Blockworks “it’s highly unusual that the funds were then returned to the project from a malicious DPRK affiliated worker” — referring to agents of the North Korean government — and that the firm assessed it could be “a rogue developer,” who, with their identity revealed, “decided to give the funds back after pressure from the Web3 community to prevent further backlash.”
“Obviously, seeing the funds returned is abnormal behavior,” ZachXBT told Blockworks.
In any case, quickly recognizing those wallets proved crucial to securing the return of the stolen funds.
Loading Tweet..
With the jig up, and no way to exfiltrate the funds, the attacker made it easier on the Blast team by handing over their private keys.
That avoided the need to employ more technical solutions.
“Blast could have definitely pushed a soft fork to literally just blacklist his wallet and pull the money out,” Ryklin said, “I think at that point, it’s like, ‘Why would he not give the keys back?’”
The hacker was not able to take 7349.99 wrapped ether, worth about $25 million at the time, as a result of an apparent typo. It was what Juice’s auditor, Trust Security, called “one of the weirdest side stories of the Munchables exploit.”
Instead of snatching all the wrapped ether, the attacker took just 73.49 wETH (about $267,000).
“The hacker was off by two 0s when inputting the amount! It is easy to confirm in a simulation that they could have indeed taken the whole vault,” Trust said. “It must have taken the hacker over eight minutes to realize their mistake, which is when the team paused withdrawals.”
CertiK confirmed to Blockworks this was the most plausible explanation for the data.
None of Juice’s other vaults or its own smart contracts were affected, the team said.
The hacker also missed the chance to grab an additional $7 million in USDB, Blast’s interest bearing stablecoin, which was secured before it could be stolen, Ryklin said.
“The bridges got closed, so the money was contained,” he said.
That meant that, unlike in other hacking cases, the thief had no leverage. The fact that Blast has multiple centralized components meant that there would be no chance to try to launder the proceeds.
That may trouble some “decentralization maxis,” but Ryklin finds it completely normal at this stage of the network’s development.
“I think the reason that you were able to successfully recover $97 million instead of everyone losing their money is because there are guardrails in place, and I don’t think those are the worst things in the world,” he said.
