A coding flaw may have led to hackers exploiting the company’s servers
Real-world asset (RWA) liquidity firm Curio experienced a smart contract breach caused by a critical susceptibility linked to voting power privileges. The result was hackers swiping $16 million in digital currency from the platform.
The Curio community was warned of the breach, and the company emphasized that it was addressing the circumstances. Curio says that a MakerDAO-based smart contract used within its platform was breached. However, the company is ensuring users that the exploit was limited to Ethereum and that all Curio Chain and Polkadot contracts were unaffected.
🚨ALERT🚨@curio_invest has experienced a $16M exploit involving a smart contract based on @MakerDAO within their ecosystem!
The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional 1B $CGT.… https://t.co/xWvvYzrWaI pic.twitter.com/mdrKyV3t9U
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 25, 2024
Cyvers, a Web3 security firm, estimates that Curio experienced about $16 million in losses from the exploit, which involved a “permission access logic vulnerability.”
Curio published a post-mortem of the breach on March 25, which included a compensation plan for affected customers. In its report, Curio highlighted that the issue was a flaw in access control for the voting power privilege.
The attacker used this to acquire several Curio Governance (CGT) tokens, giving them access to upgrade their voting power in the smart contract.
The elevated voting power allowed the attacker to perform a series of actions that eventually permitted them to execute arbitrary actions on Curio’s DAO contract, leading to the unauthorized minting of 1 billion CGT.
Curio stated in their report that all funds affected by the breach will be returned. A new token called CGT 2.0 is scheduled to be released, and the team promises to use the token to restore 100% of CGT holders’ lost funds.
Curio is also offering a reward to white hat hackers who can help it recover the lost funds. The company says they could receive the equivalent of 10% of funds rescued in the initial recovery phase.
Emma Rodriguez is the Proofreader at the Big Blind, with seven years of experience and five years in online gambling. She plays a crucial role in maintaining content quality by ensuring error-free, reader-friendly information about the gambling industry.
