Munchables: Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy
Munchables' rogue developer — suspected North Korean — pre-planted a $62.5M backdoor at deployment via storage slot manipulation in an upgradeable proxy, then drained the contract before ZachXBT exposed the connection and forced the full return of funds.
Summary #
Munchables suffered a GameFi / NFT Game on 2024-03-26, resulting in a loss of approximately $63M.
What happened #
Munchables' rogue developer — suspected North Korean — pre-planted a $62.5M backdoor at deployment via storage slot manipulation in an upgradeable proxy, then drained the contract before ZachXBT exposed the connection and forced the full return of funds.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (unverified implementation)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Blast L2 new deployment; proxy upgraded to unverified implementation]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — proxy upgrade to unverified implementation]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Team public; developer anonymous (North Korean IT worker persona)]
- RD-F-122 — related : Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
- RD-F-125 — causal : ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]