駭客利用 Munchables NFT 遊戲返還被盜 6,280 萬美元的以太坊

Munchables 與 PeckShield 和 ZachXBT 等區塊鏈調查機構合作，在面臨從其 NFT 遊戲平台流失超過 17,400 ETH 的漏洞後，開始努力追蹤被盜資金的動向。駭客隨後在未索要贖金的情況下返還了價值 6,280 萬美元的以太幣。

Munchables Exploited: Hacker Returns $62.8 Million in Stolen Ethereum

Munchables 被利用：駭客歸還被盜以太坊 6,280 萬美元

On Tuesday, March 26th, Munchables, an Ethereum-based non-fungible token (NFT) game, encountered a significant exploit that resulted in the theft of over 17,400 ETH from its GameFi application. However, within eight hours of the incident, the assailant responsible for the attack underwent a change of heart and voluntarily returned the stolen Ethereum, valued at $62.8 million, without demanding any form of ransom or compensation.

3 月 26 日星期二，基於以太坊的非同質代幣 (NFT) 遊戲 Munchables 遭遇重大漏洞，導致其 GameFi 應用程式被盜超過 17,400 ETH。然而，在事件發生後八小時內，襲擊者改變了主意，主動歸還了被盜的價值 6280 萬美元的以太坊，沒有要求任何形式的贖金或賠償。

Munchables, renowned for its distinctive bug-eyed digital creatures and lucrative rewards system, fell prey to a sophisticated attack exploiting a vulnerability within the platform's infrastructure. The gaming platform promptly initiated efforts to mitigate the impact of the exploit and assured stakeholders of its commitment to take appropriate action.

Munchables 以其獨特的瞪大眼睛的數位生物和利潤豐厚的獎勵系統而聞名，卻遭到利用平台基礎設施內漏洞的複雜攻擊。該遊戲平台立即採取措施減輕漏洞的影響，並向利害關係人保證其採取適當行動的承諾。

In cooperation with renowned blockchain investigators PeckShield and ZachXBT, Munchables embarked on a meticulous investigation to trace the movement of the purloined funds, with the ultimate objective of intercepting them. The NFT gaming platform released an official statement outlining its collaborative efforts:

Munchables 與著名的區塊鏈調查員 PeckShield 和 ZachXBT 合作，展開了細緻的調查，追蹤被盜資金的動向，最終目標是攔截這些資金。 NFT 遊戲平台發布了一份官方聲明，概述了其合作努力：

"The Munchables developer has unreservedly shared all relevant private keys to facilitate the recovery of user funds. Specifically, the key safeguarding $62,535,441.24 USD, the key holding 73 WETH, and the owner key encompassing the remaining funds."

「Munchables 開發人員毫無保留地分享了所有相關私鑰，以方便追回用戶資金。具體來說，保存62,535,441.24 美元的密鑰、持有73 WETH 的密鑰以及包含剩餘資金的所有者密鑰。 」

Ethereum Layer-2 Blockchain Facilitates Recovery

以太坊第 2 層區塊鏈促進恢復

Pacman, the visionary behind Blast, an Ethereum layer-2 blockchain, expressed profound gratitude to ZachXBT for his invaluable assistance in the investigation. Pacman disclosed that the Munchables hacker, a former Munchables developer, had made the remarkable decision to return all stolen funds without any ransom demands.

Pacman 是以太坊第 2 層區塊鏈 Blast 背後的遠見者，他對 ZachXBT 在調查中提供的寶貴幫助深表感謝。 Pacman 透露，Munchables 駭客是一名前 Munchables 開發者，他做出了一個非凡的決定，即返還所有被盜資金，且不要求任何贖金。

Given that Munchables operates atop the Blast blockchain, Pacman affirmed his commitment to collaborating with the Munchables team to expedite the redistribution of the recovered funds to the affected users.

鑑於 Munchables 在 Blast 區塊鏈上運行，Pacman 承諾與 Munchables 團隊合作，加快將收回的資金重新分配給受影響的用戶。

Official Communication and Caution Against Scams

官方溝通和防範詐騙

Munchables has strongly advised all victims of the exploit to rely exclusively on information disseminated through official channels and to exercise utmost vigilance to avoid falling victim to potential refund scams.

Munchables 強烈建議所有該漏洞的受害者完全依賴透過官方管道傳播的訊息，並保持高度警惕，以避免成為潛在退款詐騙的受害者。

Similar Exploit at ParaSwap

ParaSwap 的類似漏洞

Four days prior to the Munchables incident, ParaSwap, a decentralized finance (DeFi) aggregator, experienced a separate hacking event, resulting in the theft of approximately $24,000 from four different addresses. However, the protocol successfully recovered the stolen funds and initiated reimbursements to affected users.

Munchables 事件發生前 4 天，去中心化金融 (DeFi) 聚合商 ParaSwap 經歷了一次單獨的駭客事件，導致四個不同地址約 24,000 美元被盜。然而，該協議成功恢復了被盜資金，並向受影響的用戶發起了補償。

With the invaluable assistance of white hat hackers, ParaSwap effectively addressed the exploit and revoked permissions for the compromised AugustusV6 smart contract. ParaSwap disclosed that a total of 386 addresses were potentially affected by the vulnerability, although as of March 25th, 213 addresses had yet to revoke permissions for the compromised contract.

在白帽駭客的寶貴幫助下，ParaSwap 有效地解決了漏洞並撤銷了受感染的 AugustusV6 智能合約的權限。 ParaSwap 揭露，共有 386 個位址可能受到該漏洞的影響，儘管截至 3 月 25 日，仍有 213 個位址尚未撤銷受感染合約的權限。