Hackers have stolen over 280 Ethereum (ETH) due to the exploit on the smart contract of the telegram trading bot Maestro
Telegram trading bots automate on-chain trading and farming, but some wallets require users to share their private keys. While Telegram trading bots gained popularity, many community members shared concerns about security measures.
Maestro Router 2 Contract Attacked Due to External Call Vulnerability
Blockchain security firm Beosin posted on X (Twitter) that attackers stole around 280 ETH $500,000) due to an external call vulnerability in the Maestro Router 2 smart contract. Beosin further explained:
“Attackers can pass in a token address, fill in the called function as transferfrom, with parameters as the victim’s address and their own address, so they can transfer the victim’s tokens to their own address through transferfrom.”
Furthermore, another blockchain analysis firm, PeckShield, has informed X users that a phishing wallet stole 37 million JOE tokens due to the exploit. Eventually, the price of JOE dropped by more than 30%. Due to the lack of liquidity, Maestro cannot buy JOE tokens and refund users.
The Maestro attacker has transferred the 280 ETH to Railgun, which is a crypto privacy tool that hides transaction details.
Shortly after the attack, the Maestro team took prompt action and updated that it had identified the exploit and dealt with it. The team wrote:
Finally, Maestro refunded all the affected users by buying the tokens and sending them to the victim’s wallet. Maestro wrote on X:
Every wallet that lost tokens in the router exploit has now received the full amount they lost.
Some of you ended up with even bigger bags. For 9 out of the 11 exploited tokens, we chose to buy and refund tokens instead of simply sending ETH because it’s the most equitable and complete refund we can offer for the incident.
Maestro Earned Over $20 Million in 2023
In May 2023, BeInCrypto reported that the Maestro trading bot earned $5 million in monthly commission. While May was the peak for monthly collection, the screenshot below shows that in 2023, it has collected over $20 million in fees.
Indeed, the telegram trading bot can help traders earn handsome profits, but at the cost of revealing their private keys to the bot to sign the transactions. The ethos of the decentralized ecosystem is “not your keys, not your coins.”
Hence, giving away private keys may not be the best idea. Regarding the Maestro attack, an X (Twitter) user wrote:
“Maestro bot just got EXPLOITED 🚨 I never read did trust all the stupid bots popping out left and right. Stay away from these bots. Be safe”
While giving away the private keys is not the best practice, the Maestro team clarified that the exploit targeted the router, and wallet credentials were not compromised.
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.