Blast dapp hack was an inside job, and it could have been worse

Exploit shows centralization can sometimes be an asset

article-image

Blast and Adobe Stock modified by Blockworks

share

Munchables, a GameFi project built on Blast, reported late Tuesday that it was “compromised” to the tune of $62 million.

A further $25 million was spared in a related vault of Juice Finance due to an apparent typo.

By blacklisting the hacker’s address, the network was able to seal off the funds, and convince the attacker to give up the controlling private keys.

And that’s not all that’s unusual.

On-chain evidence provided by investigator ZachXBT indicates that the culprit went by a variety of pseudonyms.

“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person,” he wrote on X following the incident.

Read more: $80M lost in first hack of 2024

Users of Juice Finance, which designed a vault and bot system to play the game and earn valuable points at an accelerated rate, were also at risk, according to Chief Operating Officer Eric Ryklin. 

The Juice team independently reviewed Munchables’ code, a prerequisite for launching its own product.

“The malicious exploit was not in their code,” Ryklin told Blockworks. “Nor is it in their actual audit itself.”

“This guy pushed an upgrade that no one could have seen — it was unverified — and it essentially gave him three wallets that had unlimited access to withdraw funds, plus he had the keys to the upgrader and the main deployer wallet,” he said.

Read more: Latest DeFi exploits show audits are no guarantee

Juice and Munchables shared several investors, and both teams were in touch with each other regularly in the runup to the theft, Ryklin said. The malicious actor, who worked for Munchables, was a member of a group chat that included the Juice team.

“They met this guy in a developer Discord somewhere across the space,” Ryklin recalled, and after the hack it emerged that the team was not the actual owner of their contracts.

“Someone from their HR team messed up big time,” blockchain security firm SlowMist said on X.

Ryklin described it as a “sleeper cell,” and ZachXBT pointed to North Korean hackers as likely responsible.

“This guy inserted three sleeper wallets into the actual contract that no one could find at first,” Ryklin said. “But the second that he would do a transaction, that sleeper wallet would become public, so the Blast sequencer could essentially blacklist him.”

ZachXBT declined to comment on how he arrived at that conclusion. 

A spokesperson for security firm CertiK told Blockworks “it’s highly unusual that the funds were then returned to the project from a malicious DPRK affiliated worker” — referring to agents of the North Korean government — and that the firm assessed it could be “a rogue developer,” who, with their identity revealed, “decided to give the funds back after pressure from the Web3 community to prevent further backlash.”

“Obviously, seeing the funds returned is abnormal behavior,” ZachXBT told Blockworks.

In any case, quickly recognizing those wallets proved crucial to securing the return of the stolen funds.

Read more: DAO on Solana loses $230K after ‘attack proposal’ goes unnoticed

Loading Tweet..

With the jig up, and no way to exfiltrate the funds, the attacker made it easier on the Blast team by handing over their private keys.

That avoided the need to employ more technical solutions.

“Blast could have definitely pushed a soft fork to literally just blacklist his wallet and pull the money out,” Ryklin said, “I think at that point, it’s like, ‘Why would he not give the keys back?’”

The hacker was not able to take 7349.99 wrapped ether, worth about $25 million at the time, as a result of an apparent typo. It was what Juice’s auditor, Trust Security, called “one of the weirdest side stories of the Munchables exploit.”

Instead of snatching all the wrapped ether, the attacker took just 73.49 wETH (about $267,000).

“The hacker was off by two 0s when inputting the amount! It is easy to confirm in a simulation that they could have indeed taken the whole vault,” Trust said. “It must have taken the hacker over eight minutes to realize their mistake, which is when the team paused withdrawals.”

CertiK confirmed to Blockworks this was the most plausible explanation for the data.

None of Juice’s other vaults or its own smart contracts were affected, the team said.

The hacker also missed the chance to grab an additional $7 million in USDB, Blast’s interest bearing stablecoin, which was secured before it could be stolen, Ryklin said.

“The bridges got closed, so the money was contained,” he said.

That meant that, unlike in other hacking cases, the thief had no leverage. The fact that Blast has multiple centralized components meant that there would be no chance to try to launder the proceeds.

Read more: Blast developers drawn by layer-2’s liquidity and founder’s success building Blur

That may trouble some “decentralization maxis,” but Ryklin finds it completely normal at this stage of the network’s development.

“I think the reason that you were able to successfully recover $97 million instead of everyone losing their money is because there are guardrails in place, and I don’t think those are the worst things in the world,” he said.


Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

ao cover.jpg

Research

Arweave recently launched the testnet for AO computer, a new messaging protocol that will sit atop a PoS network and aims to become a scalable global compute platform through parallel processing and modularity.

article-image

The US spot bitcoin fund category has notched negative net flows over the course of a week just three times since coming to market in January

article-image

Elsewhere, rank-and-file employees move around and Binance’s head of legal in Europe departs

article-image

Plus, a Dragonfly partner shares his view on the crypto VC market, and a mining hardware firm raises $80 million

article-image

Plus, a Bored Ape burger restaurant closes, and Crypto: The Game presses on

article-image

Bitcoin scarcity is a meme, with or without the halvings

article-image

The current state of blockchain interoperability poses an existential threat to the mainstream adoption of blockchain technology as a whole