Maestro, one of the largest Telegram crypto trading bot projects in the ecosystem, has been targeted in a hack attack. The attack resulted in the theft of dozens of Ethereum (ETH) from the crypto trading bot’s smart contract.
280 ETH Stolen from the Bot
Findings after the hack attack reveal that the Telegram crypto trading bot fell victim to a critical security vulnerability in its Router2 contract, allowing unauthorized transfers of over 280 ETH (worth $500,000) from user accounts. The Maestro team took immediate action to fix the issue, but temporary access to tokens in liquidity pools on certain decentralized exchanges (DEXes) was suspended.
The smart contract designed to manage token swaps was found to have a security vulnerability that allowed hackers to make arbitrary calls and unauthorized transfers of funds. According to the blockchain security company PeckShield, the funds were likely transferred to the cross-chain exchange platform Railgun to hide their origin.
The essence of the problem was that the Router2 contract had a proxy design that allowed changes to the contract logic without changing the wallet address, which is typically a feature for upgradability. This design also allowed arbitrary and unauthorized calls, enabling hackers to initiate “transferFrom” operations between any approved wallet address.
Exploiting this vulnerability, the hackers entered a token wallet address into the Router2 contract and set the function to “transferFrom,” listing Maestro’s wallet address as the sender and their own wallet addresses as recipients. In this way, unauthorized token transfers were made from Maestro’s wallet addresses to the hackers’ wallet addresses.
Router Operations Suspended in Maestro
Immediately after the hack attack was detected, the Maestro team took action by completely changing the Router2 contract and quickly suspending all router operations, preventing further unauthorized fund transfers from the smart contract.
The Maestro team confirmed that the security vulnerability has been addressed, but tokens in the SushiSwap, ShibaSwap, and ETH PancakeSwap pools will not be available for a while due to ongoing inspections. The team announced that refunds will be made to all users whose funds were stolen. The statement said, “We will inform the community as soon as we are ready to process the refunds (hopefully within the day).”
