In December 2023, Telcoin was the victim of a hack. The platform suffered an exploit related to its mobile app that resulted in losses totaling an estimated $1.2 million.
Inside the Attack
Telcoin is a blockchain project that focuses on mobile-friendly solutions. In December 2023, an exploit was performed against the protocol’s Polygon wallet. After the hack was identified, the project froze transactions on its mobile app.
The attack was initially suspected to be related to a vulnerability in the Telcoin Wallet; however, an investigation determined that this was not the case. Instead, Telcoin pinpointed the issue as an error in the implementation of its proxy smart contract on the Polygon blockchain.
According to Telcoin’s report, the vulnerability primarily affected users who had not yet initiated a transaction on their platform. The exploiter took advantage of uninitialized contracts and, by initializing them with vulnerable versions, was able to transfer the Telcoins held within those wallets. After identifying the vulnerability, the Telcoin team deployed an update to the smart contract designed to fix the issue.
As a result of the hack, Telcoin users lost an estimated $1.2 million, and the value of $TEL tokens dropped by about 40%. However, the project has promised to make its users whole as part of its remediation plan.
Lessons Learned from the Attack
The Telcoin hack initially appeared to be related to the Telcoin Wallet; however, the actual problem was with proxy contracts deployed on Polygon. If the user had never initiated transactions, these contracts weren’t initialized either, providing an attacker with the opportunity to do so for malicious purposes.
Telcoin’s contracts were previously audited; however, these audits did not include all of the project’s smart contracts. These proxy contracts were outside the scope of this initial audit, so the vulnerability exploited by the attacker went undetected. After making the necessary fixes to the proxy contracts, they are undergoing an audit before Telcoin releases them and initiates its recovery strategy.
The Telcoin hack underscores the importance of proactively performing a comprehensive security audit before launching smart contracts to the blockchain. If one aspect of a project is outside the scope of an audit, then an attacker may be able to exploit it and attack the project as a whole. In this case, an incomplete audit cost the project an estimated $1.2 million. For more information on smart contract security audits and how to ensure that your entire project is secure, get in touch with Halborn.