Maestro, one of the largest Telegram bot projects in the crypto ecosystem, fell victim to a critical security breach earlier today, resulting in the unauthorized transfer of more than 280 ETH, amounting to a staggering $500,000, from user accounts. The breach stemmed from a critical vulnerability discovered in its Router2 contract, leaving the project in turmoil.
Consequently, Maestro has taken steps to address the issue. However, there will be a temporary disruption in accessing tokens within liquidity pools on specific decentralized exchanges (DEXs).
Router2 Contract Flaw Exploited
The Router2 contract, a pivotal component designed to manage the logic behind token swaps, harbored a vulnerability that enabled malicious actors to execute arbitrary calls, leading to the illicit transfer of assets.
Security firm PeckShield has identified that the stolen funds found their way to the cross-chain exchange platform Railgun, a likely attempt to obfuscate their origin.
We regret to inform our users that the Maestro Router was compromised tonight. We have swiftly taken action and revoked all the router’s functionalities.
For those who were affected, full refunds will be issued out. For those who were not affected, your tokens are fully safe…
— Maestro🤖🤖 (@MaestroBots) October 25, 2023
The issue lies in the unique design of the Router2 contract, employing a proxy mechanism that facilitates alterations in the contract’s logic without necessitating a change in its address.
While this feature was intended to allow for upgradability, it inadvertently opened a gateway for unauthorized calls. Attackers leveraged this vulnerability to initiate “transferFrom” operations between any approved addresses.
The attackers exploited a simple yet powerful technique. By inputting a token address into the Router2 contract, they set the function to “transferFrom,” manipulating the sender’s details to reflect the victim’s address and redirecting the tokens to their accounts. This heinous tactic led to the unauthorized transfer of tokens from the victims’ accounts to those under the attackers’ control.
Maestro Hopes to Issue Refunds Promptly
Responding with commendable swiftness, Maestro took immediate action. Within 30 minutes of discovering the breach, the team replaced the compromised Router2 contract’s logic with a benign Counter contract. This tactical move effectively froze all router operations, preventing further unauthorized transfers.
While Maestro’s diligent efforts have successfully resolved the vulnerability, tokens housed in liquidity pools on prominent decentralized exchanges, including SushiSwap, ShibaSwap, and ETH PancakeSwap, will remain temporarily inaccessible as the company conducts a thorough internal review.
Assuring affected users, the Maestro team announced their commitment to refunds, hopefully within the day.
The incident comes as the popularity of Telegram-integrated bots among crypto traders is rising. Despite their convenience and ease of use, experts are raising concerns regarding the security measures implemented by these bots in handling user assets.