Real-world asset (RWA) liquidity firm Curio experienced a smart contract exploit that resulted in the theft of $16 million in digital assets. Curio promptly notified its community about the incident and assured users that they are taking action to address the situation. The breach occurred in a MakerDAO-based smart contract used by Curio, specifically affecting the Ethereum side of their operations. However, the company emphasized that all Polkadot and Curio Chain contracts remained secure.
Cyvers, a web3 security firm, estimated the losses from the exploit to be approximately $16 million. According to their analysis, the exploit involved a vulnerability in the permission access logic of the smart contract.
In a post-mortem report and compensation plan released on March 25, Curio detailed the flaw in the voting power privilege access control that allowed the attacker to gain control. By acquiring a small number of Curio Governance (CGT) tokens, the attacker was able to increase their voting power within the project’s smart contract. With this elevated voting power, the attacker executed a series of actions that led to the unauthorized creation of 1 billion CGT tokens.
Curio stated in the report that they will return all funds affected by the exploit. They also announced the introduction of a new token called CGT 2.0, which will be used to restore 100% of the funds for CGT holders.
To compensate liquidity providers, Curio outlined a fund compensation program that will be implemented in four stages, each lasting 90 days. This means that full payment may take up to one year.
Additionally, Curio expressed their intention to reward white hat hackers who assist in recovering the lost funds. The team stated that hackers could receive a reward equivalent to 10% of the funds recovered during the initial recovery phase.