Munchables, a nonfungible token (NFT) game built on the Ethereum layer-2 blockchain Blast, has fallen victim to a significant exploit, resulting in a loss of $62 million. The game made the announcement of the breach in a post on X on March 26, stating that it was actively monitoring the exploiter’s activities and attempting to halt the transactions.
According to Solidity developer 0xQuit, the attack on Munchables was premeditated. One of the developers allegedly upgraded the Lock contract, which is designed to lock tokens for a specific period, with a new implementation shortly before the game’s launch. 0xQuit explained that the attacker assigned himself a deposited balance of 1,000,000 Ether before the upgrade, taking advantage of manual manipulation of storage slots. The exploiter then withdrew the balance once the total value locked (TVL) reached a lucrative level.
Following the exploit, Adam Cochran, a partner at Cinneamhain Ventures, noted that while it might not set a good precedent for future incidents, it would align with Blast’s brand to intervene. Cygaar also called for the Blast team to intervene and roll back the chain to a state before the attack occurred. However, others opposed centralized intervention, stating that it contradicts the principles of decentralized networks.
The situation has sparked a debate about the appropriate response, with discussions ranging from the possibility of an invalid state root forced by the Blast team to a complete halt of the chain to address the issue, as suggested by Cygaar.