On October 24, a security breach in Maestro, a prominent cryptocurrency trading bot, led to the loss of an estimated 280 ETH, valued at around $500,000. The attacker exploited a vulnerability in a recently deployed router contract, which was designed to facilitate the trading of various memecoins. The project announced the exploit on social media platform X, via a tweet.
We regret to inform our users that the Maestro Router was compromised tonight. We have swiftly taken action and revoked all the router's functionalities.
— Maestro🤖🤖 (@MaestroBots) October 25, 2023
For those who were affected, full refunds will be issued out. For those who were not affected, your tokens are fully safe…
The attacker managed to transfer tokens to their own wallet, specifically those that had received prior approval on the compromised contract. After securing the tokens, the attacker converted them into ethers and utilized the RailGun mixer to conceal their activities.
The Maestro team acted swiftly to mitigate the damage. They “revoked all the router’s functionalities,” ensuring that trading could be safely resumed. Affected users were promised full refunds, while those unaffected were assured that their tokens remained secure.
The project also committed to issuing full refunds to those affected, estimating that approximately 280 ETH will be needed for this purpose. They also clarified that the exploit was limited to the router and did not impact user wallets.
The compromised Router 2 contract functioned in a manner similar to an ERC1967-like proxy. It delegated its operations to another address, which was responsible for managing the logic related to swaps and incentivizing block builders. The vulnerability lay in an exposed function on the router that, when activated, deferred to its designated implementation. This loophole enabled the attacker to use the ‘transferFrom’ method to target token holders, accumulate tokens, and eventually convert them into ETH.
After identifying the exploit, Maestro updated their router to a “safe, exploit-free implementation,” according to the team. Although trading has resumed, tokens associated with liquidity pools on platforms like SushiSwap, ShibaSwap, and PancakeSwap’s Ethereum deployment are still temporarily unavailable.
The Maestro incident is not an isolated event in the cryptocurrency landscape. Just last month, HTX Global, another significant player in the digital currency arena, also fell victim to a cyber-attack. The breach, which took place on September 24, 2023, led to a loss of a staggering 5,000 ETH, equivalent to about $8 million USD.
