Munchables NFT 游戏被黑，价值 6200 万美元，引发链回滚问题

Munchables 是一款基于 Blast 区块链构建的 NFT 游戏，已成为价值 6200 万美元的漏洞的受害者。区块链分析师 ZachXBT 识别出了攻击者的钱包，该钱包目前持有超过 6200 万美元的以太币。据报道，该漏洞源于雇用一名朝鲜开发商，据称该开发商在更改合同实施之前操纵存储槽为自己分配大量以太币余额。

Munchables NFT Game Exploited for $62 Million, Raising Questions about Chain Rollbacks

Munchables NFT 游戏被利用价值 6200 万美元，引发链回滚问题

By Staff Reporter

本报记者

March 27, 2023

2023 年 3 月 27 日

A nonfungible token (NFT) game named Munchables, operating on the Ethereum layer-2 blockchain Blast, has fallen victim to a sophisticated exploit resulting in a loss of $62 million.

一款名为 Munchables 的非同质代币 (NFT) 游戏在以太坊第 2 层区块链 Blast 上运行，已成为复杂漏洞的受害者，导致损失 6200 万美元。

The Munchables team acknowledged the breach via an X post on March 26th at 9:33 pm UTC, confirming that the exploiters' movements were being monitored and efforts were underway to halt the malicious transactions.

Munchables 团队于世界标准时间 3 月 26 日晚上 9:33 通过 X 帖子承认了此次违规行为，并确认正在监控攻击者的行动，并正在努力阻止恶意交易。

Blockchain Analyst Identifies Alleged Attacker

区块链分析师确定了涉嫌攻击者的身份

Blockchain analyst ZachXBT promptly responded to the Munchables announcement, revealing the wallet address allegedly belonging to the perpetrator. Data from Blastscan indicated that the address currently holds approximately $62.45 million worth of Ether (ETH).

区块链分析师 ZachXBT 立即对 Munchables 的公告做出回应，透露了据称属于肇事者的钱包地址。 Blastscan 的数据显示，该地址目前持有价值约 6245 万美元的以太币 (ETH)。

According to DeBank, the exploiter's wallet interacted with the Munchables protocol at 9:26 am UTC, siphoning a total of 17,413 ETH.

据 DeBank 称，攻击者的钱包于 UTC 时间上午 9:26 与 Munchables 协议进行了交互，总共窃取了 17,413 ETH。

Exploiter's Transactions Traced

追踪剥削者的交易

Subsequent to the initial extraction, the exploiter's wallet transferred $10,700 worth of ETH through the Orbiter Bridge, effectively converting it back into native ETH. At 10:05 pm UTC, an additional 1 ETH was sent to a newly created wallet address.

在最初提取之后，利用者的钱包通过 Orbiter Bridge 转移了价值 10,700 美元的 ETH，有效地将其转换回原生 ETH。世界标准时间晚上 10:05，另外 1 个 ETH 被发送到新创建的钱包地址。

Allegations Against North Korean Developer

针对朝鲜开发商的指控

ZachXBT speculated that the exploit may stem from the Munchables team's decision to engage a North Korean developer known as "Werewolves0943."

ZachXBT 推测该漏洞可能源于 Munchables 团队决定与一位名为“Werewolves0943”的朝鲜开发者合作。

Planned Attack Suspected

怀疑有计划的袭击

Solidity developer 0xQuit asserted in an X post on March 27th that the Munchables attack was meticulously planned. They identified a suspicious upgrade to the Lock contract, which governs the locking of tokens for specific durations, that was implemented shortly before the game's launch.

Solidity 开发者 0xQuit 在 3 月 27 日的 X 帖子中声称 Munchables 攻击是经过精心策划的。他们发现了对 Lock 合约的可疑升级，该合约管理特定期限内的代币锁定，该升级是在游戏发布前不久实施的。

"Appropriate checks were in place to prevent withdrawals exceeding deposits," explained 0xQuit. "However, prior to the upgrade, the attacker assigned himself a deposited balance of 1,000,000 Ether."

“适当的检查已经到位，以防止提款超过存款，”0xQuit 解释道。 “然而，在升级之前，攻击者为自己分配了 1,000,000 以太币的存款余额。”

"The scammer exploited storage slot manipulation to grant himself an inflated Ether balance before switching to a seemingly legitimate contract implementation," 0xQuit added. "He then withdrew the funds when the TVL reached a substantial level."

0xQuit 补充道：“诈骗者利用存储槽操纵，在转向看似合法的合约实施之前，为自己提供了夸大的以太币余额。” “当 TVL 达到相当高的水平时，他就撤回了资金。”

Munchables Mechanics and Blast Involvement

Munchables 力学和爆炸参与

Munchables operates as a Blast-based GameFi application centered around NFT-based creatures. The protocol enables users to stake Blast ETH and Blast USD (USDB) to accumulate Blast points and unlock in-game advantages.

Munchables 是一款基于 Blast 的 GameFi 应用程序，以基于 NFT 的生物为中心。该协议允许用户质押 Blast ETH 和 Blast USD (USDB)，以积累 Blast 积分并解锁游戏内优势。

In light of the exploit, several members of the X community, including pseudonymous metaverse advisor Cygaar, have implored the Blast team to intervene by retroactively rolling back the chain to a state preceding the attack.

鉴于这一漏洞，X 社区的几名成员，包括化名的元宇宙顾问 Cygaar，恳求 Blast 团队进行干预，将链回滚到攻击之前的状态。

Centralized Intervention or Decentralized Ethos?

集中干预还是分散精神？

Opposing viewpoints have emerged regarding the merits of centralized intervention, which clashes with the decentralized nature of blockchain networks. Adam Cochran, partner at Cinneamhain Ventures, suggested that Blast intervening "would be on brand" but recognized the potential precedent it could set.

关于中心化干预的优点出现了相反的观点，这与区块链网络的去中心化性质相冲突。 Cinneamhain Ventures 合伙人 Adam Cochran 表示，Blast 的干预“将是品牌效应”，但他也承认这可能会开创先例。

Cygaar argued for the exceptional circumstances presented by Blast's unique character: "While I adamantly oppose such actions on other chains, I don't perceive Blast as a 'serious decentralization chain' but rather a haven for games, experimentation, and degen behavior."

Cygaar 认为 Blast 的独特性格所带来的特殊情况是这样的：“虽然我坚决反对在其他链上采取此类行为，但我并不认为 Blast 是一条‘严肃的去中心化链’，而是一个游戏、实验和堕落行为的避风港。”

"Given that, it doesn't seem inconsistent with their brand to intervene in the interest of user experience," Cygaar added.

“鉴于此，为了用户体验而进行干预似乎与他们的品牌并不矛盾，”Cygaar 补充道。

Conclusion

结论

The Munchables exploit highlights the ongoing challenges and vulnerabilities associated with decentralized gaming platforms. As the investigation into the attack progresses, the blockchain community will continue to debate the merits and consequences of centralized intervention in the face of such setbacks.

Munchables 漏洞凸显了与去中心化游戏平台相关的持续挑战和漏洞。随着攻击调查的进展，区块链社区将继续争论面对此类挫折时集中干预的优点和后果。