On October 25, 2023, the Telegram bot Maestro, known for its crypto trading tools, experienced a security breach that resulted in the theft of 280 ETH (equivalent to $502,082) worth of tokens and selling them on the market.
The breach was initially brought to public attention by a user with the handle 0xLawliette, who issued a warning to the Maestro community. In their message, 0xLawliette urged users to take immediate action, stating,
“get your money off maestro ASAP router exploited”
Maestro reacted promptly to the security breach, acknowledging the seriousness of the situation and ensuring that users affected by the exploit would be fully compensated. The platform has estimated the total refunds for impacted users to be approximately 280 ETH.
The exploit responsible for the breach has been identified and subsequently resolved by the Maestro team. To ensure the security and integrity of the platform, the Maestro Router has been updated, providing a secure and exploit-free environment for users.
According to blockchain security company Beosin, the attacker exploited the vulnerability by specifying a token address, using the “transferfrom” function, and providing parameters that included the victim’s address and the attacker’s address.
This allowed the attacker to transfer the victim’s tokens to their own address through the “transferfrom” function. As a result, the attacker was able to steal over 280 ETH from the platform.
Of the 280 ETH stolen, most of them were memecoins.
In the aftermath of the security breach, there have been concerns raised by users affected by the hack. The Maestro team has promised to refund the stolen funds in ETH.
However, some users who lost memecoin tokens and other assets have voiced their preference for receiving the stolen tokens back instead of ETH