Post Mortem: Telcoin

Project name: Telcoin

Project type: Token

Date of exploit: Dec 26th,2023

Asset loss: $1.25M

Vulnerability: un-initialized proxy contracts

Date of audit report publishing: 02/07/2022

Conclusion: Out of Audit Scope

Details of the Exploit

Background

The telcoin applied a proxy pattern for their wallet product, which involves CloneFactory, Cloneable Proxy and Beacon Proxy patterns.

Nature of the Vulnerability

The vulnerability stems from a bug in the proxy implementation of wallet contracts. The exploiter took advantage of this vulnerability in the wallet contracts and, by initializing them with vulnerable versions, was able to transfer the Telcoins held within those wallets.

CertiK Audit Overview

telcoin

Conclusion

On Dec 26th, 2023, Telcoin experienced a loss of ~$1.25M attack. The vulnerable contract is due to a vulnerability in the proxy implementation of wallet contracts.

CertiK Audited the token contracts of the telcoin. However, the exploit was due to the vulnerability in the proxy implementation of the wallet smart contracts, which is a different application from what CertiK has audited.

Reference

https://twitter.com/CertiKAlert/status/1739619921779408965 https://twitter.com/telcoin/status/1739582160053682597

Related Blogs

Reports ·Incident Analysis

Post Mortem: Hector Network

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

Jan 17, 2024

Reports ·Incident Analysis

Post Mortem: Fintoch

On May 5th, 2023, the Fintoch was rugpulled, leading to a loss of ~$31.6M.

Jan 8, 2024

Reports ·Incident Analysis

Post Mortem: Sushiswap

On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.

Jan 8, 2024