Biconomy 
MimbleWimbleCoin 
0x0.ai: AI Smart Contract 
Radix 
Solana Name Service 
Amnis Aptos 
Wilder World 
Loopring 
Across Protocol 
GRIFFAIN 
SKALE 
Moo Deng 
Simon's Cat 
Wrapped Beacon ETH 
CoinEx 
CoW Protocol 
UXLINK 
Mantle Bridged USDT (Mantle) 
Rocket Pool 
PAAL AI 
Solayer Staked SOL 
Shiro Neko 
Galxe 
Wrapped Ether (Mantle Bridge) 
Bazaars 
INSURANCE 
Kamino 
Redbelly Network 
Ski Mask Dog 
VeThor 
Avail 
Nexus Mutual 
Nosana 
COTI 
ANDY ETH 
Elixir deUSD 
Moonbeam 
Flux 
Band Protocol 
Frax Share 
LCX 
Supra 
UMA 
Treehouse ETH 
Cetus Protocol 
ConstitutionDAO 
Cheems Token 
NEM 
Blast 
Lorenzo stBTC 
Hypurr Fun 
Delysium 
Big Time 
Non-Playable Coin 
Quorium 
Apu Apustaja 
Moonwell 
Constellation 
Ontology 
Yield Guild Games 
Sun Token 
Audius 
Chromia 
Gravity 
cETH 
Casper Network 
DigiByte 
Hivemapper 
Humans.ai 
Fwog 
TARS AI 
aBTC 
VVS Finance 
PONKE 
GoMining Token 
Solar 
API3 
SingularityNET 
SPACE ID 
Nano 
Orca 
Degen (Base) 
Renzo 
LandWolf 
Verge 
ChainGPT 
Xai 
Ampleforth 
Mythos 
BasedAI 
Bitkub Coin 
HarryPotterObamaSonic10Inu (ETH) 
USDa 
ETHPlus 
ICON 
Fuel Network 
PinLink 
Hamster Kombat 
Velo 
Ultima 
Huobi 
Just a chill guy 
Origin Ether 
Zignaly 
Vanar Chain 
Centrifuge 
Sologenic 
AI Rig Complex 
Saga 
OUSG 
Metaplex 
Status 
Velodrome Finance 
Liquity 
Smooth Love Potion 
RCGE 
Zircuit 
LOFI 
Alchemix USD 
Tellor Tributes 
Songbird 
Balancer 
Freysa AI 
Kelp Gain 
Osaka Protocol 
Arcblock 
MMX 
Spectral 
BounceBit 
OKT Chain 
Zano 
SSV Network 
StakeWise Staked ETH 
JOE 
Arbitrum Bridged USDC (Arbitrum) 
Lisk 
Scroll 
Wise Monkey 
Renzo Restaked LST 
Venus 
Goldfinch 
BTSE Token 
Zentry 
Alephium 
MEOW 
BORA 
IOST 
Coin98 
GHO 
Bybit Staked SOL 
Waves 
WAX 
Marlin 
Crypto Trading Fund 
CARV 
iExec RLC 
DOLA 
Akuma Inu 
Taiko 
Elixir Staked deUSD 
Civic 
Banana Gun 
Ecoin 
Oraichain 
Open Campus 
IQ 
Unicorn Fart Dust 
Ergo 
Blox 
L2 Standard Bridged WETH (Optimism) 
NetMind Token 
Aleph Zero 
Based Pepe 
Stratis 
Autonolas 
Treasure 
Pixels 
Gearbox 
Cartesi 
Aurora 
Ocean Protocol 
Zeus Network 
Patriot on Base 
GAME by Virtuals 
SmarDex 
VitaDAO 
NodeAI 
Adventure Gold 
Suilend 
Cronos Bridged USDC (Cronos) 
Powerledger 
Bounce 
STASIS EURO 
Ontology Gas 
Merlin Chain 
Satoshi Airline 
Milady Cult Coin 
Coq Inu 
Orbs 
Synapse 
blockworks.co 2 h
Munchables, a GameFi project built on Blast, reported late Tuesday that it was “compromised” to the tune of $62 million.
A further $25 million was spared in a related vault of Juice Finance due to an apparent typo.
By blacklisting the hacker’s address, the network was able to seal off the funds, and convince the attacker to give up the controlling private keys.
And that’s not all that’s unusual.
On-chain evidence provided by investigator ZachXBT indicates that the culprit went by a variety of pseudonyms.
“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person,” he wrote on X following the incident.
Users of Juice Finance, which designed a vault and bot system to play the game and earn valuable points at an accelerated rate, were also at risk, according to Chief Operating Officer Eric Ryklin.
The Juice team independently reviewed Munchables’ code, a prerequisite for launching its own product.
“The malicious exploit was not in their code,” Ryklin told Blockworks. “Nor is it in their actual audit itself.”
“This guy pushed an upgrade that no one could have seen — it was unverified — and it essentially gave him three wallets that had unlimited access to withdraw funds, plus he had the keys to the upgrader and the main deployer wallet,” he said.
Read more: Latest DeFi exploits show audits are no guarantee
Juice and Munchables shared several investors, and both teams were in touch with each other regularly in the runup to the theft, Ryklin said. The malicious actor, who worked for Munchables, was a member of a group chat that included the Juice team.
“They met this guy in a developer Discord somewhere across the space,” Ryklin recalled, and after the hack it emerged that the team was not the actual owner of their contracts.
“Someone from their HR team messed up big time,” blockchain security firm SlowMist said on X.
Ryklin described it as a “sleeper cell,” and ZachXBT pointed to North Korean hackers as likely responsible.
“This guy inserted three sleeper wallets into the actual contract that no one could find at first,” Ryklin said. “But the second that he would do a transaction, that sleeper wallet would become public, so the Blast sequencer could essentially blacklist him.”
ZachXBT declined to comment on how he arrived at that conclusion.
A spokesperson for security firm CertiK told Blockworks “it’s highly unusual that the funds were then returned to the project from a malicious DPRK affiliated worker” — referring to agents of the North Korean government — and that the firm assessed it could be “a rogue developer,” who, with their identity revealed, “decided to give the funds back after pressure from the Web3 community to prevent further backlash.”
“Obviously, seeing the funds returned is abnormal behavior,” ZachXBT told Blockworks.
In any case, quickly recognizing those wallets proved crucial to securing the return of the stolen funds.
Loading Tweet..
With the jig up, and no way to exfiltrate the funds, the attacker made it easier on the Blast team by handing over their private keys.
That avoided the need to employ more technical solutions.
“Blast could have definitely pushed a soft fork to literally just blacklist his wallet and pull the money out,” Ryklin said, “I think at that point, it’s like, ‘Why would he not give the keys back?’”
The hacker was not able to take 7349.99 wrapped ether, worth about $25 million at the time, as a result of an apparent typo. It was what Juice’s auditor, Trust Security, called “one of the weirdest side stories of the Munchables exploit.”
Instead of snatching all the wrapped ether, the attacker took just 73.49 wETH (about $267,000).
“The hacker was off by two 0s when inputting the amount! It is easy to confirm in a simulation that they could have indeed taken the whole vault,” Trust said. “It must have taken the hacker over eight minutes to realize their mistake, which is when the team paused withdrawals.”
CertiK confirmed to Blockworks this was the most plausible explanation for the data.
None of Juice’s other vaults or its own smart contracts were affected, the team said.
The hacker also missed the chance to grab an additional $7 million in USDB, Blast’s interest bearing stablecoin, which was secured before it could be stolen, Ryklin said.
“The bridges got closed, so the money was contained,” he said.
That meant that, unlike in other hacking cases, the thief had no leverage. The fact that Blast has multiple centralized components meant that there would be no chance to try to launder the proceeds.
That may trouble some “decentralization maxis,” but Ryklin finds it completely normal at this stage of the network’s development.
“I think the reason that you were able to successfully recover $97 million instead of everyone losing their money is because there are guardrails in place, and I don’t think those are the worst things in the world,” he said.
