Telcoin Suffers $1.2 Million Security Breach

Summary

On December 25, 2023, Telcoin, experienced a security breach due to incorrect initialization of wallet contracts, which resulted from a mismatch between the actual implementation of the wallet and the corresponding proxy server, the attacker was able to transfer $TEL from user wallets for $1.2 million.

Attackers

The identity of the hackers who attacked Telcoin is unknown.

Hacker ETH Wallets:

Losses

Telcoin estimated the losses from the hack to be $1.2 million.

Timeline

Security Failure Causes

Smart contract vulnerability: The Telcoin wallet hack, was traced back to improper initialization of wallet contracts, stemming from a critical mismatch between the wallet’s implementation and its corresponding proxy contract. This vulnerability emerged from the complex interplay between CloneFactory, Cloneable Proxy, and Beacon Proxy design patterns, which, when combined incorrectly, the wallets were susceptible to unauthorized re-initialization and manipulation. The crux of the issue lay in the shared use of storage slot 0 by both the proxy and wallet contracts but for different purposes. The proxy used this slot for initialization flags, while the wallet contract used it for state management. This misalignment allowed the attacker to bypass the proxy’s initialization checks, reinitialize the Cloneable Proxy contracts, change the address of the Beacon contract, and subsequently transfer assets from the compromised wallets to their control. The exploitation hinged on the attacker’s ability to identify and target wallets with significant assets and minimal transaction history, exploiting the flawed logic through a sophisticated understanding of the contracts’ storage layout and initialization procedures. The Telcoin team’s response to this incident highlighted the importance of rigorous contract interaction testing and the need for a swift, coordinated security response to mitigate the impacts of such vulnerabilities.