Maestro Router 2 Hack Analysis

Maestro Router 2 Hack Analysis

Overview:

On October 24, 2023, Maestro Router 2 suffered an attack due to an arbitrary external call vulnerability, leading to an approximate loss of ~280ETH.

Smart Contract Hack Overview:

• Attacker address:0xce6397
• Attack Contract:0xe6c6e8
• Vulnerable Contract: 0x80a64c
• Attack Transaction: 0xe60c5a

Decoding the Smart Contract Vulnerability:

• The main vulnerability lies within the ‘0x9239127f’ function in the Maestro Router 2 contract, which is susceptible to an external call exploit.
• Attackers could exploit this weakness by providing a token address as input, specifying the function ‘transferfrom’ to be executed, and setting the parameters as the victim’s address and their own address.
• This allowed the attackers to effectively transfer the victim’s tokens to their own address using the ‘transferfrom’ function.
• In essence, this vulnerability enabled unauthorized token transfers from the victim’s account to the attacker’s account.

Mitigation and Best Practices:

• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord