Hacker Mints 1B Tokens in $16M Curio Smart Contract Exploit
Real-world asset (RWA) liquidation company Curio suffered a smart contract exploit involving a critical vulnerability related to voting rights that allowed an attacker to steal $16 million in digital assets.
Curio highlighted that they are addressing the situation by alerting the community to the exploitation. The company said the MakerDAO-based smart contract used in Curio was breached.
However, the company assured its users that the exploit only affected the Ethereum side and that all Polkadot and Curio chain contracts remained secure.
Cybersecurity, a Web3 security firm, estimated the losses from the exploit to be around $16 million. The security firm said the exploit included a “permission access logic vulnerability.”
On March 25, Curio published a postmortem of the exploit and a compensation plan for affected users. In the report, Curio highlighted that the problem was a flaw in the voting authority's access control.
By doing so, the attacker obtained a small number of Curio Governance (CGT) tokens, allowing them to gain voting power in the project's smart contract and leverage it.
With higher voting power, the attacker eventually made a series of actions that allowed him to execute arbitrary actions in the Curio DAO contract. This led to an unauthorized creation of 1 billion CGT.
In the report, Curio will return all the funds affected by the exploit. The group said it will release a new token called CGT 2.0. With the new token, the team promises to return 100% of the funds to CGT owners.
RELATED: Hacker Takes $10M From 2023 Phishing Event To Tornado
For liquidity providers, Curio said it will run a cash compensation program. The group is divided into four stages and each stage lasts for 90 days. This means that a full payment can take up to a year. They wrote:
“The compensation program consists of 4 consecutive stages, each of which lasts for 90 days. At each stage: compensation is paid in USDC/USDT, which is 25% of the losses in the liquid pools of the second token.
The company has announced that it will reward white hat hackers who help recover the lost funds. The group stated that hackers can receive a reward equal to 10% of the funds earned during the first recovery phase.
Magazine: ‘Am I sad? No' – 3AC founder launders $6B BTC for fast food worker: Asia Express