Halborn Logo

// Blog

Explained: Hacks

Explained: The Munchables Hack (March 2024)


Rob Behnke

March 28th, 2024

In March 2024, Munchables, a project hosted on the Blast Layer-2 blockchain, suffered a $62.5 million hack. The root cause of the incident was a rogue developer who exploited vulnerabilities that they previously built into the project’s smart contracts.

Inside the Attack

The Munchables hack is a case study of the importance of vetting and performing background checks for critical team members of a DeFi team. In this case, the project hired four developers believed to be the same person — and suspected to be from North Korea — to create its smart contracts.

When the Munchables developer created the project, they built it using an upgradeable proxy contract, which could be modified by the deployer’s address. Furthermore, this deployer address was owned by the developer, not the Munchables contract.

The attacker used their control over the project’s smart contract to assign themselves a balance of 1 million ETH within the smart contract. Later, the contract was upgraded to a secure version; however, the attacker’s manipulation of the storage slots remained.

Once this balance was in place, the attacker simply had to wait until enough ETH had been deposited in the smart contract to make an attack worthwhile. When they struck, they were able to transfer about $62.5 million worth of ETH into their wallets.

After the hack occurred, ZachXBT investigated and determined that all four of the attackers were likely the same person and potentially linked to the Lazarus Group. This revelation might have been the impetus for the attackers to hand over the private keys needed to restore $60.5 million of the stolen funds to the Munchables project.

Lessons Learned From the Attack

The Munchables hack was enabled by its upgradeable proxy contract. While the ability to upgrade proxies can create security risks, these can be managed if the project maintains full control over the deployment address. However, that wasn’t the case here, where the developer intentionally designed the contract and deployed it in a way that enabled them to carry out their attack.

While the Munchables attack ended happily, it demonstrates the importance of due diligence and a strong security program to protect DeFi projects against potential attacks. A malicious developer built flaws into the protocol’s smart contracts and then covered their tracks with a benign upgrade. When building in DeFi, it’s vital to maintain control over the deployment process and ensure that you know what code you’re pushing to the blockchain.