Blast dapp hack was an inside job, and it could have been worse

Exploit shows centralization can sometimes be an asset

article-image

Blast and Adobe Stock modified by Blockworks

share

Munchables, a GameFi project built on Blast, reported late Tuesday that it was “compromised” to the tune of $62 million.

A further $25 million was spared in a related vault of Juice Finance due to an apparent typo.

By blacklisting the hacker’s address, the network was able to seal off the funds, and convince the attacker to give up the controlling private keys.

And that’s not all that’s unusual.

On-chain evidence provided by investigator ZachXBT indicates that the culprit went by a variety of pseudonyms.

“Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person,” he wrote on X following the incident.

Read more: $80M lost in first hack of 2024

Users of Juice Finance, which designed a vault and bot system to play the game and earn valuable points at an accelerated rate, were also at risk, according to Chief Operating Officer Eric Ryklin. 

The Juice team independently reviewed Munchables’ code, a prerequisite for launching its own product.

“The malicious exploit was not in their code,” Ryklin told Blockworks. “Nor is it in their actual audit itself.”

“This guy pushed an upgrade that no one could have seen — it was unverified — and it essentially gave him three wallets that had unlimited access to withdraw funds, plus he had the keys to the upgrader and the main deployer wallet,” he said.

Read more: Latest DeFi exploits show audits are no guarantee

Juice and Munchables shared several investors, and both teams were in touch with each other regularly in the runup to the theft, Ryklin said. The malicious actor, who worked for Munchables, was a member of a group chat that included the Juice team.

“They met this guy in a developer Discord somewhere across the space,” Ryklin recalled, and after the hack it emerged that the team was not the actual owner of their contracts.

“Someone from their HR team messed up big time,” blockchain security firm SlowMist said on X.

Ryklin described it as a “sleeper cell,” and ZachXBT pointed to North Korean hackers as likely responsible.

“This guy inserted three sleeper wallets into the actual contract that no one could find at first,” Ryklin said. “But the second that he would do a transaction, that sleeper wallet would become public, so the Blast sequencer could essentially blacklist him.”

ZachXBT declined to comment on how he arrived at that conclusion. 

A spokesperson for security firm CertiK told Blockworks “it’s highly unusual that the funds were then returned to the project from a malicious DPRK affiliated worker” — referring to agents of the North Korean government — and that the firm assessed it could be “a rogue developer,” who, with their identity revealed, “decided to give the funds back after pressure from the Web3 community to prevent further backlash.”

“Obviously, seeing the funds returned is abnormal behavior,” ZachXBT told Blockworks.

In any case, quickly recognizing those wallets proved crucial to securing the return of the stolen funds.

Read more: DAO on Solana loses $230K after ‘attack proposal’ goes unnoticed

Loading Tweet..

With the jig up, and no way to exfiltrate the funds, the attacker made it easier on the Blast team by handing over their private keys.

That avoided the need to employ more technical solutions.

“Blast could have definitely pushed a soft fork to literally just blacklist his wallet and pull the money out,” Ryklin said, “I think at that point, it’s like, ‘Why would he not give the keys back?’”

The hacker was not able to take 7349.99 wrapped ether, worth about $25 million at the time, as a result of an apparent typo. It was what Juice’s auditor, Trust Security, called “one of the weirdest side stories of the Munchables exploit.”

Instead of snatching all the wrapped ether, the attacker took just 73.49 wETH (about $267,000).

“The hacker was off by two 0s when inputting the amount! It is easy to confirm in a simulation that they could have indeed taken the whole vault,” Trust said. “It must have taken the hacker over eight minutes to realize their mistake, which is when the team paused withdrawals.”

CertiK confirmed to Blockworks this was the most plausible explanation for the data.

None of Juice’s other vaults or its own smart contracts were affected, the team said.

The hacker also missed the chance to grab an additional $7 million in USDB, Blast’s interest bearing stablecoin, which was secured before it could be stolen, Ryklin said.

“The bridges got closed, so the money was contained,” he said.

That meant that, unlike in other hacking cases, the thief had no leverage. The fact that Blast has multiple centralized components meant that there would be no chance to try to launder the proceeds.

Read more: Blast developers drawn by layer-2’s liquidity and founder’s success building Blur

That may trouble some “decentralization maxis,” but Ryklin finds it completely normal at this stage of the network’s development.

“I think the reason that you were able to successfully recover $97 million instead of everyone losing their money is because there are guardrails in place, and I don’t think those are the worst things in the world,” he said.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

Unlocked Advisory-min.png

Research

This report distills Blockworks Advisory’s research on incentive programs and their analysis, offering a foundation for designing future initiatives and advancing industry-wide standards. By highlighting key lessons and methodologies, we aim to empower protocols to make informed, data-driven decisions.

article-image

Bitcoin is now the “seventh most valuable asset in the world by market cap, just behind the likes of Google and Amazon,” GSR’s Brian Rudick said

article-image

Many analysts expected bitcoin to top $100K before year-end, though it’s been on a post-election tear

article-image

Will investors take a 10% lower return to get access to a regulated investment wrapper?

article-image

Brian Armstrong called out the hire of Gurbir Grewal, who had been the SEC’s enforcement division director since 2021

article-image

Certain senators will be interested to learn about Atkins’s private sector business interests, specifically those related to crypto

article-image

Innovative smart debt and collateral features are fueling Fluid’s rise to $1.2 billion TVL, reshaping the Instadapp brand