Curio, a leading firm in real-world asset (RWA) liquidity, has recently fallen victim to a smart contract exploit. This breach, which involved a critical vulnerability related to voting power privileges, enabled the attacker to abscond with digital assets worth approximately $16 million.
Immediate Response and Assurance from Curio
Upon discovery of the exploit, Curio promptly notified its community and reassured them that measures were being taken to address the situation. The breach was traced back to a MakerDAO-based smart contract utilized within Curio’s operations.
Despite the severity of the exploit, Curio was quick to assure its users that the breach was confined to the Ethereum side of operations. All contracts on Polkadot and the Curio Chain were confirmed to be secure and unaffected by the exploit.
Estimated Losses and Nature of the Exploit
Web3 security firm Cyvers has estimated the losses from the exploit to be around $16 million. The firm identified the exploit as a “permission access logic vulnerability.”
Post-Mortem Report and Compensation Plan
On March 25, Curio released a detailed post-mortem report of the exploit, along with a compensation plan for the affected users. The report pinpointed the root cause of the problem – a flaw in the access control of voting power privileges.
The attacker managed to acquire a small number of Curio Governance (CGT) tokens, which allowed them to gain access and elevate their voting power within the project’s smart contract. With this elevated voting power, the attacker was able to execute arbitrary actions within the Curio DAO contract, leading to the unauthorized minting of 1 billion CGT.
Restitution and Future Measures
In the wake of the exploit, Curio has pledged to return all the funds affected. The team plans to release a new token, CGT 2.0, promising to restore 100% of the funds for CGT holders.
For liquidity providers, Curio has announced a fund compensation program. The compensation will be paid in four stages, each lasting 90 days. This implies that full payment could potentially span one year. The team stated:
“The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools.”
In addition, Curio has also announced a reward for white hat hackers who can aid in recovering the lost funds. Hackers could receive a reward equivalent to 10% of funds recovered in the initial recovery phase.