$16 Million Stolen in Curio Smart Contract Exploit

Curio, a real-world asset liquidity firm, has fallen victim to a major smart contract exploit resulting in the loss of approximately $16 million worth of digital assets.

The exploit centered around a critical vulnerability that allowed an attacker to gain elevated voting power privileges and mint a staggering 1 billion Curio Governance (CGT) tokens.

Curio’s Response and the Root Cause of the Exploit

The company promptly alerted its community about the incident, stating that a MakerDAO-based smart contract used within the Curio platform was breached. However, they assured users that the exploit was isolated to the Ethereum side of their operations, with the Polkadot and Curio Chain contracts remaining secure.

An investigation by the Web3 security firm Cyvers revealed that the root cause was a “permission access logic vulnerability” related to voting power controls.

The attacker was able to acquire a small number of CGT tokens initially, which granted them the ability to escalate their voting power illegitimately.

Read Also: Atomic Wallet Unveils $1M Bug Bounty Amid $100M Hack Lawsuit

🚨ALERT🚨@curio_invest has experienced a $16M exploit involving a smart contract based on @MakerDAO within their ecosystem!

The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional 1B $CGT.… https://t.co/xWvvYzrWaI pic.twitter.com/mdrKyV3t9U

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 25, 2024

With this elevated status, the attacker carried out a series of actions culminating in the unauthorized minting of 1 billion new CGT tokens within the Curio DAO contract. This token-minting activity directly enabled the theft of $16 million in digital assets.

Compensation Plan and White Hat Bounty

In a detailed post-mortem report, Curio outlined their plan to compensate affected users and address the fallout. A new token, CGT 2.0, will be released, with a promise to fully restore funds for all existing CGT holders at a 1:1 ratio.

For liquidity providers impacted, Curio has devised a fund compensation program to be paid out in four 90-day stages using USDC and USDT stablecoins. This means liquidity providers may have to wait up to a year to receive their full compensation.

Additionally, Curio stated they will reward any “white hat” hackers who can aid in recovering the stolen funds, offering a bounty of 10% of the recovered amount in the initial recovery phase.

Read Also: Hackers Take Over Crypto Hardware Wallet Trezor’s X Account, Promote Scam Solana Token