Hackers used the account’s proxy design for upgradability to hack into Telegram’s Maestro bot account and steal $500,000 worth of Ether ETH/USD.
What Happened?
Maestro, one of the largest Telegram bot projects in the ecosystem, witnessed a significant security breach in its Router2 contract leading to the unauthorized transfer of more than 280 ETH ($500,000) from user accounts. Security firm, PeckShield noted on Twitter that the 280 ETH were transferred to cross-chain exchange platform Railgun to create ambiguity in tracing their origin.
The contract which was mainly designed to manage logic for token swaps was vulnerable to attackers to make arbitrary calls, leading to the unauthorized transfers of assets, The Block reported.
While the issue has been addressed, token access in liquidity pools on certain DEXs will remain temporarily inaccessible. Tokens in SushiSwap, ShibaSwap, and ETH PancakeSwap pools will remain temporarily unavailable as the company continues its internal review.
The team added on X, “We’ll update the community as soon as we’re ready to process the refunds (hopefully within the day).”
Within 30 minutes of finding the breach, Maestro quickly replaced the Router2 contract's logic with a benign Counter contract, thereby freezing all router operations and stopping any further unauthorized transfers.
To protect against such thefts and maintain the safety of the digital asset, meet Webacy CEO, Maika Isogawa at the upcoming Benzinga Future Of Digital Assets. Mark Nov. 14 on your calendar for the must-attend gathering in the fintech industry!
How Did It Happen?
Router2 contract had a proxy design allowing changes in the contract logic without altering its address, mainly for upgradability, as reported by The Block. However, the design could not protect the contract from arbitrary and unauthorized calls, leading attackers to initiate "transferFrom" operations between any approved addresses.
They could initiate a token address into the Router2 contract, set the function to "transferFrom," and list the victim's address as the sender and their own as the recipient for making unauthorized transfers.
Other Hacks
Among recent instances of hacks, Ethereum co-founder Vitalik Buterin’s X account was breached and the hacker managed to steal $690,000 from users who were directed to a deceptive link. Also, CoinEx experienced a $27 million hack in early September, which was attributed to the North Korea-based Lazarus Group.
Additionally, the owner of Dallas Mavericks, billionaire Mark Cuban also faced a crypto scam leading to a loss of almost $870,000.
Find out more on crypto hacks and how users should safeguard their assets in this highly vulnerable market. Meet and engage with other transformative Digital Asset and Crypto business leaders and investors at Benzinga's exclusive event: Future of Digital Assets. Tickets are flying: Get yours!
Now Read: Trader Who Nailed 2022's Crypto Crash Sends A Warning: Read This Before Going Long
Photo: Shutterstock
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
