Maestro, one of the largest cryptocurrency trading projects in the Telegram ecosystem, has been hit by a hacking attack. The attack resulted in the theft of dozens of Ethereum (ETH) digital currencies from the smart contract of the digital currency trading application.
280 ETH stolen from bot
Findings after the hacking attack found that the Telegram cryptocurrency trading app was exposed to a critical vulnerability in its Router2 smart contract, allowing unauthorized transfers of more than 280 ETH (worth $500,000) from user accounts. The Maestro team took immediate action to fix the issue, but access to tokens in the liquidity pool on some decentralized exchanges (DEXes) has been temporarily suspended.
A recent hack attack on the Telegram cryptocurrency trading bot exposed a serious security vulnerability in its Router2 contract. This vulnerability allowed hackers to conduct unauthorized fund transfers, resulting in the loss of more than 280 Ethereum, equivalent to $500,000, from user accounts. The Maestro team acted immediately to address the issue, but access to tokens in liquidity pools on some decentralized exchanges (DEXes) had to be temporarily suspended.
The security breach was attributed to a flaw in the smart contract responsible for managing token swaps. The design of the contract allowed hackers to exploit a security vulnerability that enabled them to make spam calls and unauthorized transfers of funds. PeckShield, a blockchain security company, suggested that the stolen funds were likely moved to cross-chain exchange platform Railgun in an attempt to hide their origin.
The root of the problem lies in the design of the Router2 contract, which features a proxy design that allows changes to the contract logic without changing the wallet address. Although this design is typically intended for upgradability, it inadvertently enabled hackers to make random and unauthorized calls. By exploiting this vulnerability, hackers were able to initiate “transfer from” operations between any authorized wallet address.
To carry out the attack, the hackers entered the token’s wallet address into the Router2 contract and set the function to “transferFrom”. They listed their Maestro wallet address as sender and their own wallet addresses as recipients. This allowed them to make unauthorized transfers of tokens from Maestro wallets to their own wallets.
The Maestro team took immediate action to fix the vulnerability and prevent further unauthorized transfers. However, the temporary suspension of access to tokens in liquidity pools on some DEXes was necessary to ensure the safety of users’ funds.
Router operations in Maestro have been suspended
After discovering the hack attack, the Maestro team quickly responded by implementing a major overhaul of the Router2 nodes and immediately suspending all router operations. This proactive measure has effectively put an end to any further unauthorized transfers of funds from the compromised smart contract.
The Maestro team has confirmed that the vulnerability has been successfully addressed. However, as a precaution, tokens in the SushiSwap, ShibaSwap, and ETH PancakeSwap pools will be temporarily unavailable while the comprehensive inspections are conducted. This temporary suspension aims to ensure the safety and security of the affected swimming pools.
In a statement, the Maestro team assured users that refunds will be provided to all individuals whose funds were stolen as a result of the security breach. They expressed their commitment to resolving the issue immediately, saying: “We will inform the community as soon as we are ready to process refunds (hopefully within the day).”
The Maestro team’s quick response and commitment to user protection demonstrates their dedication to addressing the security incident and mitigating its impact on their community.