Project name: Telcoin
Project type: Token
Date of exploit: Dec 26th,2023
Asset loss: $1.25M
Vulnerability: un-initialized proxy contracts
Date of audit report publishing: 02/07/2022
Conclusion: Out of Audit Scope
Details of the Exploit
Background
The telcoin applied a proxy pattern for their wallet product, which involves CloneFactory, Cloneable Proxy and Beacon Proxy patterns.
Nature of the Vulnerability
The vulnerability stems from a bug in the proxy implementation of wallet contracts. The exploiter took advantage of this vulnerability in the wallet contracts and, by initializing them with vulnerable versions, was able to transfer the Telcoins held within those wallets.
CertiK Audit Overview
Conclusion
On Dec 26th, 2023, Telcoin experienced a loss of ~$1.25M attack. The vulnerable contract is due to a vulnerability in the proxy implementation of wallet contracts.
CertiK Audited the token contracts of the telcoin. However, the exploit was due to the vulnerability in the proxy implementation of the wallet smart contracts, which is a different application from what CertiK has audited.
Reference
https://twitter.com/CertiKAlert/status/1739619921779408965 https://twitter.com/telcoin/status/1739582160053682597