Summary
Munchables is a Blast-chain NFT game that suffered a $62.5 million exploit on March 26, 2024, when a contractor later attributed to North Korea exploited a backdoor they had embedded in the project's upgradeable smart contracts before launch. The developer surrendered private keys and the full sum was recovered within approximately 24 hours, but the incident exposed fundamental failures in contractor due diligence and smart contract architecture.
Connected Entities
1 entitiesTimeline(8 events)
2022-01-01
A developer later linked to the Munchables exploit was briefly hired by Pixecraft Studios, described as 'sketchy,' and let go within a month.
2024-03-21
The Munchables Lock smart contract was upgraded to an unverified implementation address, later identified as part of the attacker's preparation.
2024-03-26
The exploit was executed: approximately 17,413 ETH (~$62.5M) was withdrawn by the rogue developer using a pre-planted fraudulent 1,000,000 ETH balance in storage slots.
2024-03-26
Munchables announced the breach on X at approximately 9:33 pm UTC and stated it was tracking the exploiter.
2024-03-26
ZachXBT identified the attacker's address and four GitHub accounts (NelsonMurua913, Werewolves0493, BrightDragon0719, Super1114) believed to be North Korean-linked.
2024-03-26
Within approximately 11 minutes of ZachXBT's public identification, the developer agreed to return all funds and surrendered private keys.
2024-03-27
Blast founder Pacman confirmed that the recovered assets had been secured in a multisig controlled by Blast core contributors.
2024-03-27
Munchables announced full fund recovery; community rollback proposals for the Blast chain were not pursued.
Decision Log
- hash: 5MAt4mTSTofTPLmYXzTzBARNzE1dDut4Mudcyi1HJXb6
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-5
generated: 5/4/2026, 2:54:33 AM
last updated: 5/20/2026, 3:41:08 PM
avoid.net — verified advice for a post-truth world