Maestro Faces Severe Security Breach Resulting in Unauthorized Transfers
Today, Maestro, a major Telegram bot project, experienced a significant security breach. The breach was due to a critical vulnerability in its Router2 contract, leading to the unauthorized transfer of over 280 ETH ($500,000) from user accounts. Maestro has taken steps to address the issue, but access to tokens in liquidity pools on certain DEXs will be temporarily unavailable.
The vulnerability in the contract allowed attackers to make arbitrary calls, resulting in unauthorized asset transfers. According to security firm PeckShield, the funds were transferred to the cross-chain exchange platform Railgun in an attempt to hide their origin.
Contract Vulnerability Permitted Unauthorized Transfers
The issue with the Router2 contract was that its proxy design allowed changes in contract logic without altering its address. While this feature enabled upgradability, it also allowed for arbitrary and unauthorized calls. Attackers took advantage of this by initiating “transferFrom” operations between approved addresses, transferring tokens from victims’ accounts to their own.
Immediate Response: Maestro Freezes Router Operations
Within 30 minutes of discovering the breach, Maestro acted swiftly by replacing the Router2 contract’s logic with a benign Counter contract. This action froze all router operations and prevented further unauthorized transfers. Maestro has confirmed that the vulnerability has been resolved.
However, tokens in SushiSwap, ShibaSwap, and ETH PancakeSwap pools will remain temporarily unavailable as Maestro conducts an internal review. The company plans to refund affected users and will provide updates on the refund process.
Hot Take: Protecting User Funds Through Swift Action
The security breach faced by Maestro highlights the importance of robust security measures in the crypto ecosystem. Despite the unauthorized transfers, Maestro’s quick response in freezing router operations and resolving the vulnerability demonstrates their commitment to protecting user funds. By promptly addressing the issue and planning to refund affected users, Maestro aims to regain trust and maintain its position as a leading Telegram bot project.
By
By
By
By
By
By