The Munchables Hack Is Way Worse Than It Seems

On Tuesday, March 26, Ethereum-based NFT-based “GameFi” project Munchables reported a hack that drained over 17,400 ETH (roughly $63 million) from its coffers. Within five hours of investigation, it became clear that the attack came from inside the house: a hired developer going by the alias “Werewolves0943” had drained the funds. Insiders stealing project funds is common enough in crypto that the term “rugpull” is common parlance — but what was unique about this situation is that the hired hands allegedly had ties to North Korea.

This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.

After an hour of negotiations led by Munchables, along with independent blockchain investigator ZachXBT and security firm PeckShield, Werewolves0943 was convinced to return all the funds. “The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds,” the Munchables’ team posted at 4:40 a.m. UTC.

While that seems like a happy enough resolution of a relatively low-value hack, the Munchables exploit may have a longtail of bad outcomes for the crypto industry. Most importantly, while it isn’t yet confirmed that North Korea was hands down involved in the attack, the sheer fact so many people were willing to accept that at face value helps to further a dangerous narrative that crypto is helping to erode national defense and bolster terrorist organizations.

Data from 2016 to 2023 collected by on-chain analysis firm Chainalysis showed that North Korea hacked at least 20 crypto platforms stealing slightly over $1 billion worth of assets last year alone. A separate report by TRM Labs largely substantiated those findings. “North Korea-linked hacks have been on the rise over the past few years, with cyber-espionage groups such as Kimsuky and Lazarus Group utilizing various malicious tactics to acquire large amounts of crypto assets,” Chainalysis said in its report.

Earlier research found North Korea-affiliated hackers were using billions of dollars worth of stolen crypto loot to fund the Hermit Kingdom’s nuclear weapons program. These attacks were a substantial reason why the U.S. Treasury Department took the unprecedented move to sanction the Tornado Cash crypto mixer smart contract and why Senator Elizabeth Warren (D-Mass.) can in good faith call crypto a “national security risk.”

“Real talk: the greatest policy threat to crypto by far is the allegation that North Korea funds its missile program by hacking smart contracts,” Variant Fund CEO Jake Chervinsky wrote on X. If crypto is banned, “It will be caused by an increasingly common view among anti-crypto policymakers that crypto doesn’t have a use case other than gambling and crime, and that the risk of allowing crypto to continue to exist far outweighs the potential benefits that blockchain developers have promised but not delivered for years.”

The Munchables attack only adds to this image. In fact, it’s slightly worse in that this wasn’t an outside actor exploiting poorly written code, but a complete failure of due diligence on part of a multi-million dollar blockchain project when hiring developers. It puts a whole new spin on the idea of “social engineering” when apparent threat actors can not only manipulate an insider for critical information, but be paid to be on the inside.

According to Ethereum developer 0xQuit, the Munchables attack had been planned from the outset. The attacker was able to upgrade the “lock contract,” meant to keep the project’s funds under lock and key for a specific period of time, so he could “assign himself a deposited balance of 1,000,000 ether” while also hiding evidence of the changes, 0xQuit claimed.

Of course, this isn’t an issue for the crypto industry alone: For years, the Federal Bureau of Investigations and Republic of Korea have been issuing warnings as to North Korean “tradecraft” of exploiters gaining access to key infrastructure through employment. “The hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences,” the agencies wrote in a recent public service announcement.

Apart from the embarrassment of having at least one North Korean hacker working on the inside of projects they intend to rob, the crypto community’s response to the Munchables attack also laid bare exactly how vulnerable these systems are. For instance, several people on Crypto Twitter suggested that, because Munichables was on the controversial Blast blockchain, which is maintained essentially by a simple multi-sig wallet, that the Blast team could intervene by rolling back the chain to recover the stolen funds.

“While I’m strongly against this action on any other chain, I don’t take Blast as a brand of ‘serious decentralization chain’ but instead as a place for games, experiments, degenry, etc.,” Adam Cochran, an influential voice in Ethereum circles and Cinneamhain Ventures partner, said in support of the potential rollback.

No doubt, Blast is a controversial network — one that raised over one billion dollars without even a prototype — but it is not at all that different from the way other OP Stack layer 2s are built. For instance, after Eric Wall reminded his followers that Blast and Coinbase’s Base network essentially run the same codebase, Base’s principle developer Jesse Pollack tweeted that Base’s “keys are not controlled by any one party or entity.” Instead, Base is controlled by a 2/2 multi-sig wallet, which theoretically could also rollback the chain if both parties agreed.

Currently, no Ethereum scaling solution is truly “decentralized” as commonly understood, even if the teams that are developing them typically adhere to the principles of permissionless access and not censoring users. In a certain sense, as Chervinsky notes, many policymakers who “understand the difference between centralized and decentralized technology” would choose the former because it means founders remain in control of what happens on-chain.

“But ultimately, the burden is on the builders in the industry to do better,” he added.