CertiK analyzes the March 2024 Munchables attack on Blast after on-chain investigator ZachXBT identified North Korean hackers as the primary perpetrators. The attacker withdrew 17,413.96 ETH from the staking proxy and left roughly $97 million in project assets exposed, using an unlock path that passed registration and lock-duration checks. CertiK found that a backdoored implementation had already written attacker registration state into proxy storage through delegatecall before the logic contract was replaced with a normal version to hide the setup. The case gives defenders and Web3 teams concrete evidence around proxy upgrades, persistent storage state, and attacker-controlled initialization logic.