Maestro, a leading Telegram bot project, recently faced a security vulnerability resulting in the loss of 280 ETH.
On October 25th, a loophole was discovered in Maestro’s Router2 contract, altering the “transferFrom” command to make the victim’s address the sender and the hacker’s address the recipient. This led to the theft of over 280 ETH (approximately $500,000) from the user’s account.
According to PeckShield, the hacker then transferred the stolen funds to the cross-chain Railgun to obfuscate the source.
Roughly 30 minutes after the initial discovery of the breach, Maestro acted quickly and replaced the Router2 contract’s logic with a benign Counter contract, effectively freezing all router operations and curbing any further unauthorized transfers.
Maestro confirmed that the vulnerability has been resolved. However, tokens in SushiSwap, ShibaSwap, and ETH PancakeSwap pools will remain temporarily unavailable as the company continues its internal review.
The team added that it would refund affected users. “We’ll update the community as soon as we’re ready to process the refunds (hopefully within the day),” it said.
Maestro, established in 2022, is one of the pioneering Telegram bot projects, enabling traders to execute orders, monitor wallets, and track markets conveniently within Telegram.