Earlier today, Maestro, one of the largest Telegram bot projects in the ecosystem, faced a severe security breach.
The project fell victim to a critical security vulnerability in its Router2 contract, resulting in the unauthorized transfer of more than 280 ETH ($500,000) from user accounts. Maestro has since addressed the issue, although access to tokens in liquidity pools on certain DEXs will remain temporarily inaccessible.
The contract, designed to manage logic for token swaps, contained a vulnerability that allowed attackers to make arbitrary calls, leading to the unauthorized transfers of assets. According to security firm PeckShield, the funds were transferred to the cross-chain exchange platform Railgun in a likely attempt to obfuscate their origin.
The crux of the issue lay in the fact that the Router2 contract had a proxy design that permitted changes in the contract logic without altering its address, typically a feature for upgradability. However, this also allowed for arbitrary and unauthorized calls to be made, enabling attackers to initiate "transferFrom" operations between any approved addresses.
Specifically, attackers could input a token address into the Router2 contract, set the function to "transferFrom," and list the victim's address as the sender and their own as the recipient. This led to unauthorized transfers of tokens from the victim's accounts to those of the attackers.
Immediate response: Maestro froze router operations
Roughly 30 minutes after the initial discovery of the breach, Maestro acted quickly and replaced the Router2 contract's logic with a benign Counter contract, effectively freezing all router operations and curbing any further unauthorized transfers.
Maestro confirmed that the vulnerability has been resolved. However, tokens in SushiSwap, ShibaSwap, and ETH PancakeSwap pools will remain temporarily unavailable as the company continues its internal review.
The team added that it would refund affected users. “We’ll update the community as soon as we’re ready to process the refunds (hopefully within the day),” it said.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.