Today, Maestro, one of the projects on the popular messaging app Telegram, faced a security breach that resulted in a breach of user accounts.
The breach occurred due to a critical security vulnerability within the project’s Router2 contract, which led to unauthorized transfers of over 280 ETH, equivalent to $500,000.
The Router2 contract, primarily responsible for managing token swaps, had a vulnerability that enabled attackers to perform unauthorized actions, including asset transfers.
Security firm PeckShield reported that the stolen funds were sent to the cross-chain exchange platform Railgun, possibly in an attempt to obscure their origin.
The core issue lay in the contract’s design, which allowed changes to its logic without modifying its address. While this feature is typically intended for updates, it also makes it possible for arbitrary and unauthorized calls to be made.
Attackers exploited this vulnerability by initiating “transferFrom” operations using the Router2 contract. They entered a token address, set the function to “transferFrom,” and specified the victim’s address as the sender and their own address as the recipient. This allowed them to move tokens from the victim’s accounts to their own.
Upon discovering the breach, Maestro acted swiftly to replace the Router2 contract’s logic with a harmless countercontract. This action effectively froze all router operations, preventing further unauthorized transfers.