A group of hackers has exploited a smart contract flaw in the Maestro Telegram bot, a popular tool for automated trading and farming on Ethereum. The attackers managed to steal 280 ETH (worth about $500,000) and 37 million JOE tokens from the bot’s users. The hack also caused a 30% drop in the price of JOE, a native token of the Avalanche-based decentralized exchange Trader Joe.
According to blockchain security firms Beosin and PeckShield, the hackers took advantage of an external call vulnerability in the Maestro Router 2 contract. This allowed them to transfer users’ tokens to their own wallets using the transferFrom function. The hackers then moved the stolen ETH to Railgun, a privacy-preserving tool that hides transaction details.
The team announced on X that it had paid back 610 ETH from its own revenue to cover all the losses of the affected users, worth more than $1 million at the time. The team said it bought back and returned most of the exploited tokens, except for JOE and LMI, which had low liquidity. For those tokens, the team sent ETH equivalent plus 20% extra as compensation.
They quickly responded to the incident and updated the router contract to prevent further exploits. They also paused trading for tokens that have pools on other swap platforms, such as SushiSwap, ShibaSwap, and ETH PancakeSwap. Moreover, they promised to refund all affected users by buying back and returning the lost tokens, instead of simply sending ETH.