Curio, a real-world asset (RWA) liquidity firm, recently fell victim to a smart contract exploit that allowed an attacker to steal $16 million in digital assets. The exploit was related to a critical vulnerability in voting power privileges within a MakerDAO-based smart contract used by Curio. The company quickly alerted its community about the incident and assured users that only the Ethereum side was affected, while the Polkadot and Curio Chain contracts remained secure.
Cyvers, a web3 security firm, estimated the losses from the exploit to be around $16 million, identifying a “permission access logic vulnerability” as the cause. In response, Curio published a post-mortem report on March 25, outlining the details of the exploit and a compensation plan for affected users. The report revealed that the flaw was in the voting power privilege access control, allowing the attacker to acquire a small number of Curio Governance (CGT) tokens and gain elevated voting power within the project’s smart contract.
With the elevated voting power, the attacker executed a series of steps that resulted in the unauthorized minting of 1 billion CGT. However, Curio assured users that all the funds affected by the exploit would be returned. The company announced the release of a new token called CGT 2.0, which would restore 100% of the funds for CGT holders.
Curio also addressed liquidity providers, stating that a fund compensation program would be conducted in four stages, each lasting 90 days. This means that full payment could potentially take up to a year. Additionally, Curio expressed its intention to reward white hat hackers who assist in recovering the lost funds, offering a reward equivalent to 10% of the funds recovered during the initial recovery phase.
In light of this incident, it is crucial for companies and individuals to remain vigilant and take necessary precautions to protect their digital assets.