Trading Bot Maestro Refunds Users After a 280 ETH Attack

Published on:

Hackers have stolen over 280 Ethereum (ETH) due to the exploit on the smart contract of the telegram trading bot Maestro

Telegram trading bots automate on-chain trading and farming, but some wallets require users to share their private keys. While Telegram trading bots gained popularity, many community members shared concerns about security measures. 

Maestro Router 2 Contract Attacked Due to External Call Vulnerability

Blockchain security firm Beosin posted on X (Twitter) that attackers stole around 280 ETH $500,000)  due to an external call vulnerability in the Maestro Router 2 smart contract. Beosin further explained:

“Attackers can pass in a token address, fill in the called function as transferfrom, with parameters as the victim’s address and their own address, so they can transfer the victim’s tokens to their own address through transferfrom.”

Furthermore, another blockchain analysis firm, PeckShield, has informed X users that a phishing wallet stole 37 million JOE tokens due to the exploit. Eventually, the price of JOE dropped by more than 30%. Due to the lack of liquidity, Maestro cannot buy JOE tokens and refund users.

Read more: Who Is ZachXBT, the Crypto Sleuth Exposing Scams?

Lack of JOE liquidity. Source: X (Twitter)

The Maestro attacker has transferred the 280 ETH to Railgun, which is a crypto privacy tool that hides transaction details.

Maestro attack, Railgun
Attacker moves funds to Railgun. Source: X (Twitter)

Shortly after the attack, the Maestro team took prompt action and updated that it had identified the exploit and dealt with it. The team wrote:

“Our router has been updated to a safe, exploit-free implementation. Trading can resume as normal, but tokens with pools on SushiSwap, ShibaSwap, and ETH PancakeSwap will be temporarily unavailable.”

Finally, Maestro refunded all the affected users by buying the tokens and sending them to the victim’s wallet. Maestro wrote on X:

Every wallet that lost tokens in the router exploit has now received the full amount they lost.

Some of you ended up with even bigger bags. For 9 out of the 11 exploited tokens, we chose to buy and refund tokens instead of simply sending ETH because it’s the most equitable and complete refund we can offer for the incident.

Maestro Earned Over $20 Million in 2023

In May 2023, BeInCrypto reported that the Maestro trading bot earned $5 million in monthly commission. While May was the peak for monthly collection, the screenshot below shows that in 2023, it has collected over $20 million in fees.

Maestro, Telegram trading bot
Maestro monthly fee collection. Source: DefiLama

Indeed, the telegram trading bot can help traders earn handsome profits, but at the cost of revealing their private keys to the bot to sign the transactions. The ethos of the decentralized ecosystem is “not your keys, not your coins.” 

Hence, giving away private keys may not be the best idea. Regarding the Maestro attack, an X (Twitter) user wrote:

“Maestro bot just got EXPLOITED 🚨 I never read did trust all the stupid bots popping out left and right. Stay away from these bots. Be safe”

While giving away the private keys is not the best practice, the Maestro team clarified that the exploit targeted the router, and wallet credentials were not compromised.

Read more: Unibot: A Comprehensive Guide to the Telegram Bot

Do you have anything to say about the Maestro attack or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.


In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.

Source link