Curio, a project focused on facilitating liquidity from real-world assets for firms, has fallen victim to a smart contract exploit related to a vulnerability in voting power privileges.
Curio said it will conduct a fund compensation program for affected liquidity providers, which could potentially take up to one year to complete.
Curio Reports Smart Contract Exploit And Voting Vulnerability, Assures Users of Prompt Action and Security Measures
🚨ALERT🚨@curio_invest has experienced a $16M exploit involving a smart contract based on @MakerDAO within their ecosystem!
The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional 1B $CGT.… https://t.co/xWvvYzrWaI pic.twitter.com/mdrKyV3t9U
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 25, 2024
According to the Web3 security firm Cyvers, the hack most likely occurred due to a vulnerability in the permissioned access logic. This vulnerability allowed the attacker to create an additional 1 billion CGT tokens, which in turn resulted in the hacker obtaining CGT tokens worth almost $16 million.
The Cyvers Alerts message comes after Curio warned the community about a smart contract exploit on March 23.
Community Alert: We've just been notified of a smart contract exploit within our ecosystem. Unfortunately, MakerDAO’s based Smart contract used within our ecosystem were exploited on the Ethereum side. We're actively addressing the situation and will keep you updated. Rest…
— Curio Ecosystem | Tokenize The World (@curio_invest) March 23, 2024
Curio notified its community of the exploit through a post on X and assured them that it is actively addressing the situation. It was revealed that a MakerDAO-based smart contract utilized within Curio was compromised.
They further assure users that only the smart contract on their Ethereum side was affected, and all contracts on Polkadot and the Curio Chain remained secure. The Curio Ecosystem team said,
“Unfortunately, MakerDAO-based Smart contracts used within our ecosystem were exploited on the Ethereum side. We’re actively addressing the situation and will keep you updated. Rest assured, all Polkadot side and Curio Chain contracts remain secure.”
On March 25, Curio released a post-mortem report on the exploit and a compensation plan for affected users. The report outlined that the issue stemmed from a voting power privilege access control flaw.
The attacker gained access to a few Curio Governance (CGT) tokens, enabling them to increase their voting power within the project’s smart contract. With the elevated voting power, the attacker executed a series of steps that allowed them to perform arbitrary actions within the Curio DAO contract, ultimately leading to the unauthorized minting of a large quantity of CGT tokens.
Curio Announces Recovery Plans and Compensation Program Following Exploit
🚀Exciting news! CurioDAO's recovery strategy from the recent exploit is underway. Here's what's happening:
– Swift Response: Our team acted immediately to contain the impact.
– Enhanced Security Measures: Implementing robust security protocols to prevent future incidents.
-…— Curio Ecosystem | Tokenize The World (@curio_invest) March 25, 2024
Following the exploit, Curio announced plans to reward white hat hackers who helped them recover the lost funds. The team stated that hackers could receive a reward equivalent to 10% of the funds recovered during the initial recovery phase.
The Curio team also stated that all funds affected by the attack would be returned to the affected parties. To facilitate this, the team announced the creation of a new token called CGT 2.0, which will be used to restore 100% of the funds for CGT holders.
Additionally, Curio outlined a fund compensation program for liquidity providers affected by the exploit. The compensation program will be conducted in four consecutive stages, each lasting 90 days.
During each stage, compensation will be paid in USDC or USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools. This staged approach suggests that total compensation may take up to one year to complete.
In February, losses due to hacks and scams decreased to around $67 million, approximately half the January figure. All attack vectors were related to the decentralized finance (DeFi) sector, while centralized platforms remained unaffected.
Most losses in February were attributed to hacks of the gaming platform PlayDapp and the decentralized exchange FixedFloat, which collectively lost $58.45 million. Additionally, cryptocurrency casino Duelbits suffered a loss of $4.6 million due to a compromised private key.