Telcoin Suffers $1.2 Million Security Breach

Summary #

On December 25, 2023, Telcoin, experienced a security breach due to incorrect initialization of wallet contracts, which resulted from a mismatch between the actual implementation of the wallet and the corresponding proxy server, the attacker was able to transfer $TEL from user wallets for $1.2 million.

Attackers #

The identity of the hackers who attacked Telcoin is unknown.

Hacker ETH Wallets:

• 0x35d2775e5f95596509951b140d68fc5b9185ff98
• 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7

Losses #

Telcoin estimated the losses from the hack to be $1.2 million.

Timeline #

• 2023-12-25, 05:23:40 PM UTC: The first malicious transaction occurred.
• 2023-12-26, 04:14 AM UTC: The Telcoin team publicly issued an alert to users.
• 2023-12-26, 04:41 PM UTC: The Telcoin deployed a fix to stop further exploitation.
• 2024-01-10: Blocksec published a detailed analysis of the incident.

Security Failure Causes #

Smart contract vulnerability: The Telcoin wallet hack, was traced back to improper initialization of wallet contracts, stemming from a critical mismatch between the wallet’s implementation and its corresponding proxy contract. This vulnerability emerged from the complex interplay between CloneFactory, Cloneable Proxy, and Beacon Proxy design patterns, which, when combined incorrectly, the wallets were susceptible to unauthorized re-initialization and manipulation. The crux of the issue lay in the shared use of storage slot 0 by both the proxy and wallet contracts but for different purposes. The proxy used this slot for initialization flags, while the wallet contract used it for state management. This misalignment allowed the attacker to bypass the proxy’s initialization checks, reinitialize the Cloneable Proxy contracts, change the address of the Beacon contract, and subsequently transfer assets from the compromised wallets to their control. The exploitation hinged on the attacker’s ability to identify and target wallets with significant assets and minimal transaction history, exploiting the flawed logic through a sophisticated understanding of the contracts’ storage layout and initialization procedures. The Telcoin team’s response to this incident highlighted the importance of rigorous contract interaction testing and the need for a swift, coordinated security response to mitigate the impacts of such vulnerabilities.