Maestro, one of the largest Telegram bot projects in the crypto eco, fell victim to a critical security breach earlier today, resulting in the unauthorized transfer of more than 280 ETH, amounting to a staggering $500,000, from user accounts. The breach stemmed from a critical vulnerability discovered in its Router2 contract, leaving the project in turmoil.
Consequently, Maestro has taken steps to address the issue. However, there will be a temporary disruption in accessing tokens within liquidity pools on specific decentralized exchanges (DEXs).
Router2 Contract Flaw Exploited
The Router2 contract, a pivotal component designed to manage the logic behind token swaps, harbored a vulnerability that enabled malicious actors to ute arbitrary calls, leading to the illicit transfer of assets.
Security firm PeckShield has identified that the stolen funds found their way to the cross-chain exchange platform Railgun, a likely attempt to obfuscate their origin.
We regret to inform our users that the Maestro Router was compromised tonight. We have swiftly taken action and revoked all the router’s functionalities.
For those who were affected, full refunds will be issued out. For those who were not affected, your tokens are fully safe…
— Maestro🤖🤖 (@MaestroBots) October 25, 2023
The issue lies in the unique design of the Router2 contract, employing a proxy mechanism that facilitates alterations in the contract’s logic without necessitating a change in its address.
While this feature was intended to allow for upgradability, it inadvertently opened a gateway for unauthorized calls. Attackers leveraged this vulnerability to initiate “transferFrom” operations between any approved addresses.
The attackers exploited a simple yet powerful technique. By inputting a token address into the Router2 contract, they set the function to “transferFrom,” manipulating the sender’s details to reflect the victim’s address and redirecting the tokens to their accounts. This heinous tactic led to the unauthorized transfer of tokens from the victims’ accounts to those under the attackers’ control.
Maestro Hopes to Issue Refunds ly
Responding with commendable swiftness, Maestro took immediate action. Within 30 minutes of discovering the breach, the team replaced the compromised Router2 contract’s logic with a benign Counter contract. This tactical move effectively froze all router operations, preventing further unauthorized transfers.
While Maestro’s diligent efforts have successfully resolved the vulnerability, tokens housed in liquidity pools on prominent decentralized exchanges, including SushiSwap, ShibaSwap, and ETH PancakeSwap, will remain temporarily inaccessible as the company conducts a thorough internal review.
Assuring affected users, the Maestro team announced their commitment to refunds, hopefully within the day.
The incident comes as the popularity of Telegram-integrated bots among crypto traders is rising. Despite their convenience and ease of use, experts are raising concerns regarding the security measures implemented by these bots in handling user assets.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
