In late October two of the most popular Telegram trading bots were exploited, leading to a total loss of $1.1 million. The two exploits happened within a week of each other starting with the Maestro incident on 24 October, followed by the Unibot incident on 31 October. The vulnerability in both Maestro and Unibot allowed an attacker to steal users pre-approved tokens. Both vulnerabilities lay within both project’s router contracts which lacked necessary permission and parameter checks allowing the attacker to exploit users token approvals.
Telegram bots have gained in popularity in 2023 due to the accessibility and easy to use interface they provide to crypto. The latest figures from Coin Market Cap show that Telegram bot tokens listed on the site currently have a combined market cap of $115 million. Users are able to create wallets, buy and sell assets and even deploy contracts. There have been many questions around the security of Telegram bots this year with crentralization risk factors such as private key storage being key concerns.
We have now seen two popular Telegram bot providers being exploited with the same vulnerability. Maestro and Unibot smart contracts both contained a vulnerability that would allow an attacker to execute arbitrary code. This meant that the attackers could compel the vulnerable contracts to call transferFrom on users approved tokens and transfer them to the attackers address. Users who had approved the vulnerable Telegram bot contracts to trade ERC-20 tokens had their assets stolen.
According to CoinGecko the five most popular Telegram trading bots are Unibot, Mizar, Banana Gun, Maestro and Wagie Bot. Two out of the five platforms have experienced exploits over the past few months with an additional project taking mitigating actions against a vulnerability. Whilst concerns over users private key storage is still a concern, vulnerabilities within the platforms smart contract are also risks that users need to take into account.
Both Maestro Bots and Unibot are Telegram bots that allows users to buy and sell tokens with a simple user interface from within Telegram and charges a 1% transaction fee for each successful transaction
In order to use the bot, users must first approve it to spend (transfer) the token that they want to trade. The contract is then able to act on a user’s behalf when they interact with the buttons.
On 24 October, an attacker began transferring tokens out of Maestro user’s wallets to an attack contract where they were swapped for ETH. A vulnerability with the MaestroRouter contract allowed the attacker to make external calls from the MaestroRouter contract. This meant they were able to use the transferFrom function to transfer any tokens that users had permitted the Maestro contract to transfer.
In a very similar incident, Unibot users lost approximately $640,000 due to a vulnerability in the Unibot router contract. This allowed the exploiter to arbitrarily call external token contracts. This meant that the attacker was able to call transferFrom on users approved tokens. In total, these two vulnerabilities have led to total loss of approximately $1.1 million.
Both the Maestro and Unibot contracts contained similar vulnerabilities. The following analysis is based on the MaestroRouter contract.
The vulnerability was due to the lack of access control on function 0x9239127f() that was within the unverified MaestroRouter contract (0x8eae). This function, which has since been removed, did not contain any user permissions or parameter checks.
The attacker was able to control varg0 as well as v3.data (both above) which allowed the attacker to call functions from contracts external to the Maestro contract, and appear as though the request came from the MaestroRouter. Below is an example of input data from one of the exploit transactions.
The data in the input breaks down as follows:
0xaaee1a9723aadb7afa2810263653a34ba2c21c7a MOG token address
23b872dd is the selector for transferFrom(address,address,uint256)
0xd0b4ee02e9ba15b9dac916d2ccabad50f836b24d is the first parameter from of transferFrom, which is the address of the victim
0xe6c6e86e04de96c4e3a29ad480c94e7a471969ab is the second parameter to of transferFrom, which is the address of the attacker's attack contract
0x9bc1f1f2c7a6ab8124e04dbf is the third parameter AMOUNT of transferFrom, which is the number of tokens.
In short, the attacker called the transferFrom() function from the Maestro contract and initiated a token transfer from victims to the attack contract. The transfers are approved because user’s approved the Maestro contract to spend their tokens in order to use the Telegram bot.
The attacker transferred multiple tokens, affecting 106 users. Each of the tokens were swapped for a total of approximately 280 ETH. A very similar attack flow took place against Unibot with the exploiter swapping stolen tokens for 355.5 ETH.
With the Telegram trading bots rising in popularity in 2023, many have questioned how secure these platforms are, with the majority of the concerns focusing around the management of user's private keys. However, $1.1 million has been lost in two Telegram trading bot exploits that have taken advantage of token approvals, that users have granted to the platforms contracts. Token approvals are an essential aspect of using decentralized applications and platforms, however because approvals allow an address to perform actions on a users behalf this essential aspect can be abused. To mitigate against some of these risks, users should routinely check their approvals and revoke any that are no longer necessary.