Back to all stories
Blogs
Incident Analysis
Post Mortem: Telcoin
1/7/2024
Post Mortem: Telcoin

Project name: Telcoin

Project type: Token

Date of exploit: Dec 26th,2023

Asset loss: $1.25M

Vulnerability: un-initialized proxy contracts

Date of audit report publishing: 02/07/2022

Conclusion: Out of Audit Scope

Details of the Exploit

Background

The telcoin applied a proxy pattern for their wallet product, which involves CloneFactory, Cloneable Proxy and Beacon Proxy patterns.

Nature of the Vulnerability

The vulnerability stems from a bug in the proxy implementation of wallet contracts. The exploiter took advantage of this vulnerability in the wallet contracts and, by initializing them with vulnerable versions, was able to transfer the Telcoins held within those wallets.

CertiK Audit Overview

telcoin

Conclusion

On Dec 26th, 2023, Telcoin experienced a loss of ~$1.25M attack. The vulnerable contract is due to a vulnerability in the proxy implementation of wallet contracts.

CertiK Audited the token contracts of the telcoin. However, the exploit was due to the vulnerability in the proxy implementation of the wallet smart contracts, which is a different application from what CertiK has audited.

Reference

https://twitter.com/CertiKAlert/status/1739619921779408965 https://twitter.com/telcoin/status/1739582160053682597