Ethereum Layer-2 Game Munchables Hit by Massive $62 Million Exploit

The crypto space confronts new challenges as Munchables and Curio suffer serious exploits, revealing deep-seated vulnerabilities in the industry.

The tech and blockchain communities are reeling from a number of security breaches, with the Munchables game suffering a $62 million loss due to an exploit, and Curio facing a $16 million theft through a smart contract vulnerability. These incidents have started some intense debates around security, decentralization, and emergency response strategies in blockchain applications. Additionally, an "unpatchable" flaw in Apple's M-series chips, known as the "GoFetch" exploit, also poses a risk to encryption key security.

Munchables Game Faces Massive Exploit

The Ethereum layer-2 blockchain game Munchables, which is hosted on the Blast network, announced a devastating exploit resulting in a loss of $62 million. The incident was first revealed by the Munchables team though a post on X on Mar. 26, revealing that the attacker managed to get away with 17,413 ETH by manipulating the game's protocol.

The team's efforts to track and stop the exploiter’s transactions were made public, alongside blockchain analyst ZachXBT's identification of the attacker's wallet, which boasted a staggering $62.45 million in ETH, according to Blastscan data.

The exploit was very intricately executed, starting with the attacker's wallet interacting with Munchables protocol, followed by the laundering of a portion of the stolen ETH through the Orbiter Bridge, converting Blast ETH to native Ethereum. The attacker also made a nominal transfer of 1 ETH to a new wallet address, which could have been a decoy or to test transactional pathways.

Investigations into the exploit's origin pointed towards the Munchables team's engagement with a developer known by the alias "Werewolves0943," purportedly from North Korea. This connection raised questions about the vetting process for developers within the blockchain sphere. Solidity developer 0xQuit unveiled that the exploit was not a mere happenstance but a premeditated attack facilitated by a contractual loophole in the Munchables’ Lock contract. The attacker exploited this loophole by assigning themselves a fictitious deposit of 1,000,000 Ether before launching a new, seemingly legitimate contract to withdraw the funds.

Naturally, the crypto and gaming communities have been abuzz with reactions to this exploit. Some users on X have called for the Blast team to execute a chain rollback to negate the effects of the attack, a move that, while contentious, highlights the ongoing debate between the principles of decentralization and the need for protective measures in the face of fraud. Critics argue that these interventions completely undermine the ethos of blockchain technology, while others believe it necessary for preserving user trust and experience in certain contexts.

On the bright side, after the attacker's identity was publicly shared, the culprit decided to return all of the stolen assets. The Munchables team confirmed that the perpetrator agreed to give back the stolen funds unconditionally.

Curio Faces $16M Exploit

Munchables was not the only exploit victim over the past few days. Curio, a Real-world asset (RWA) liquidity firm, experienced a security breach that resulted in the theft of about $16 million in digital assets.

The exploit was traced back to a critical vulnerability in a MakerDAO-based smart contract used by Curio, specifically a flaw in the voting power privilege access control. The attacker manipulated this vulnerability by buying a minimal amount of Curio Governance (CGT) tokens to gain and subsequently elevate their voting power in the project's smart contract system. This allowed the perpetrator to execute arbitrary actions in the Curio DAO contract, leading to the unauthorized minting of 1 billion CGT.

Curio very quickly told its community about the incident, and made sure to mention its efforts to address the situation. The firm also reassured its users that the exploit was confined to the Ethereum network, leaving Polkadot and Curio Chain contracts unaffected. Cyvers, a Web3 security firm, estimated the financial damage from the exploit to be around $16 million, identifying the root cause as a “permission access logic vulnerability.”

In response to the crisis, Curio published a detailed post-mortem analysis and shared a compensation plan for those who were affected by the exploit. The company promised to return all of the compromised funds and announced the creation of a new token, CGT 2.0, to fully restore the lost assets for CGT holders. A fund compensation program for liquidity providers was also introduced, promising reimbursement in four stages, each lasting 90 days, and totaling a year for complete compensation. This program will distribute payments in USDC/USDT, covering 25% of the losses incurred by the liquidity pools' second token during each phase.

Curio also plans to reward white hat hackers who can assist in recovering the stolen funds. The company offered a reward equivalent to 10% of the recovered funds during the initial recovery phase.

Unpatchable Flaw in Apple's M-Series Chips

There is, unfortunately, still more cause for concern. An academic report that was published on Mar. 21 by researchers from various U.S. universities unveiled a critical vulnerability in Apple's M-series chips that could allow attackers to access sensitive encryption keys from MacBook devices. This flaw, known as a side channel exploit, specifically targets the microarchitectural design of the chips, rendering it "unpatchable" and necessitating the use of third-party cryptographic software to address. However, a solution like this could degrade the performance of devices equipped with M1 and M2 chips.

Termed the "GoFetch" exploit, it operates within the standard user environment, requiring no more than the typical application-level privileges to intercept and decode encryption keys. This revelation has sparked quite a lot of concern among MacBook users, particularly about the security of password keychains. Some users speculate that Apple may integrate mitigation measures directly into its operating system, while others suggest the company has been aware of these vulnerabilities, referencing an earlier "augury" research from 2022 and speculating about hardware modifications in the upcoming M3 chip.

This discovery could not come at a worse time for Apple as it is also engaged in a major antitrust lawsuit with the U.S. Department of Justice. The lawsuit accuses Apple of maintaining a monopolistic grip on the digital market through its App Store policies, stifling competition, and innovation, and limiting developers' abilities to offer alternative payment services.