Telegram Maestro Bot impacted by ETH contract vulnerability, stolen $500,000

Hackers have exploited the proxy design of an account to gain unauthorized access to Telegram's Maestro bot account, resulting in the theft of approximately $500,000 worth of Ether (ETH/USD).

Maestro, a significant project within the Telegram bot ecosystem, experienced a security breach within its Router2 contract. This breach led to the unauthorized transfer of more than 280 ETH, equivalent to around $500,000, from user accounts.

The Router2 contract had a proxy design, allowing changes to the contract's logic without altering its address. This design was intended for upgradability but did not protect the contract from arbitrary and unauthorized calls. Hackers exploited this vulnerability by initiating "transferFrom" operations between approved addresses. They introduced a token address into the Router2 contract, set the function to "transferFrom," and specified the victim's address as the sender while designating their own address as the recipient. This allowed them to execute unauthorized transfers.

Although the issue has been addressed, access to tokens in liquidity pools on certain decentralized exchanges (DEXs) will remain temporarily unavailable. The Maestro team assured the community that they would provide updates and process refunds as soon as possible.

Within 30 minutes of discovering the breach, Maestro took action by replacing the Router2 contract's logic with a benign Counter contract. This action effectively froze all router operations and prevented further unauthorized transfers.