Maestro Telegram bot suffers a contract exploit: $500,000 of ETH stolen

Quick Take

  • Maestro suffered from a critical vulnerability in one of its contracts, resulting in a theft of over 280 ETH.
  • Maestro confirmed the issue has been resolved and the team would refund affected users.

Earlier today, Maestro, one of the largest Telegram bot projects in the ecosystem, faced a severe security breach.

The project fell victim to a critical security vulnerability in its Router2 contract, resulting in the unauthorized transfer of more than 280 ETH ($500,000) from user accounts. Maestro has since addressed the issue, although access to tokens in liquidity pools on certain DEXs will remain temporarily inaccessible.

The contract, designed to manage logic for token swaps, contained a vulnerability that allowed attackers to make arbitrary calls, leading to the unauthorized transfers of assets. According to security firm PeckShield, the funds were transferred to the cross-chain exchange platform Railgun in a likely attempt to obfuscate their origin.

The crux of the issue lay in the fact that the Router2 contract had a proxy design that permitted changes in the contract logic without altering its address, typically a feature for upgradability. However, this also allowed for arbitrary and unauthorized calls to be made, enabling attackers to initiate "transferFrom" operations between any approved addresses.

Specifically, attackers could input a token address into the Router2 contract, set the function to "transferFrom," and list the victim's address as the sender and their own as the recipient. This led to unauthorized transfers of tokens from the victim's accounts to those of the attackers.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Immediate response: Maestro froze router operations

Roughly 30 minutes after the initial discovery of the breach, Maestro acted quickly and replaced the Router2 contract's logic with a benign Counter contract, effectively freezing all router operations and curbing any further unauthorized transfers.

Maestro confirmed that the vulnerability has been resolved. However, tokens in SushiSwap, ShibaSwap, and ETH PancakeSwap pools will remain temporarily unavailable as the company continues its internal review.

The team added that it would refund affected users. “We’ll update the community as soon as we’re ready to process the refunds (hopefully within the day),” it said.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Tim Copeland at
[email protected]