Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » Hacks » RWA liquidity firm Curio falls to $16m smart contract exploit

RWA liquidity firm Curio falls to $16m smart contract exploit

by

In response to the attack, the platform said it will be issuing a new version of CGT, its governance token.

a hacker orchestrating a smart contract exploit

Share this article

Curio, a real-world asset (RWA) liquidity firm, has fallen victim to a smart contract exploit that resulted in the unauthorized minting of 1 billion Curio Governance (CGT) tokens and an estimated loss of $16 million in digital assets.

The exploit was due to a critical vulnerability related to voting power privileges in a MakerDAO-based smart contract used within the Curio ecosystem.

According to Curio’s post-mortem report, the attacker exploited a flaw in the voting power privilege access control. By acquiring a small number of CGT tokens, the attacker gained elevated voting power within the project’s smart contract. This allowed the attacker to execute a series of steps, ultimately enabling arbitrary actions within the Curio DAO contract, leading to the unauthorized minting of 1 billion CGT tokens.

“The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools,” Curio stated in the report.

What are RWAs?

Real-world assets (RWAs) are tangible or intangible assets from the traditional financial world that can be tokenized on the blockchain, including physical assets like real estate and commodities, as well as financial assets such as equities and bonds. Tokenizing RWAs involves creating digital tokens that represent ownership rights, enabling enhanced liquidity, increased access, transparent management, and reduced transactional friction compared to traditional assets.

In the crypto industry, liquidity provision refers to the ease of converting an asset into cash without significantly affecting its price. Tokenizing RWAs allows for fractions of high-value assets to be traded efficiently 24/7 on digital exchanges, bypassing traditional intermediaries and facilitating fast, global transactions at scale. This streamlined process enhances liquidity by creating a secondary market for real-world investments, allowing tokens representing RWAs to be readily traded at any time, thus increasing liquidity in the market.

Attack Vector

Based on the post-mortem report, the attack vector exploited a vulnerability in the voting power privilege access control within the Curio DAO smart contract. The attacker managed to elevate their voting power by acquiring a small number of CGT tokens, which allowed them to execute arbitrary actions and mint 1 billion unauthorized CGT tokens.

From an information security perspective, this incident highlights the importance of thoroughly auditing and testing smart contracts for potential vulnerabilities, especially those related to access control and privilege management. Proper access control mechanisms should be implemented to prevent unauthorized elevation of privileges, even if an attacker acquires a small number of tokens.

Estimated losses

Web3 security firm Cyvers estimated the losses from the exploit to be around $16 million, attributing the breach to a “permission access logic vulnerability.” Curio assured its users that the exploit only affected the Ethereum side of their operations, while all Polkadot and Curio Chain contracts remained secure.

To address the situation and compensate affected users, Curio announced a plan to release a new token called CGT 2.0. The team promised to restore 100% of the funds for CGT holders using the new token. Additionally, Curio will conduct a fund compensation program for affected liquidity providers, which will be paid out in four stages over the course of one year, with each stage lasting 90 days.

Curio also announced that it would reward white hat hackers who assist in recovering the lost funds. Hackers who contribute to the initial recovery phase could receive a reward equivalent to 10% of the recovered funds.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.