Start Earning Up to 16% Interest Automatically

Learn More

RWA liquidity firm Curio falls to $16m smart contract exploit

In response to the attack, the platform said it will be issuing a new version of CGT, its governance token.

a hacker orchestrating a smart contract exploit

Share this article

Curio, a real-world asset (RWA) liquidity firm, has fallen victim to a smart contract exploit that resulted in the unauthorized minting of 1 billion Curio Governance (CGT) tokens and an estimated loss of $16 million in digital assets.

The exploit was due to a critical vulnerability related to voting power privileges in a MakerDAO-based smart contract used within the Curio ecosystem.

According to Curio’s post-mortem report, the attacker exploited a flaw in the voting power privilege access control. By acquiring a small number of CGT tokens, the attacker gained elevated voting power within the project’s smart contract. This allowed the attacker to execute a series of steps, ultimately enabling arbitrary actions within the Curio DAO contract, leading to the unauthorized minting of 1 billion CGT tokens.

“The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools,” Curio stated in the report.

What are RWAs?

Real-world assets (RWAs) are tangible or intangible assets from the traditional financial world that can be tokenized on the blockchain, including physical assets like real estate and commodities, as well as financial assets such as equities and bonds. Tokenizing RWAs involves creating digital tokens that represent ownership rights, enabling enhanced liquidity, increased access, transparent management, and reduced transactional friction compared to traditional assets.

In the crypto industry, liquidity provision refers to the ease of converting an asset into cash without significantly affecting its price. Tokenizing RWAs allows for fractions of high-value assets to be traded efficiently 24/7 on digital exchanges, bypassing traditional intermediaries and facilitating fast, global transactions at scale. This streamlined process enhances liquidity by creating a secondary market for real-world investments, allowing tokens representing RWAs to be readily traded at any time, thus increasing liquidity in the market.

Attack Vector

Based on the post-mortem report, the attack vector exploited a vulnerability in the voting power privilege access control within the Curio DAO smart contract. The attacker managed to elevate their voting power by acquiring a small number of CGT tokens, which allowed them to execute arbitrary actions and mint 1 billion unauthorized CGT tokens.

From an information security perspective, this incident highlights the importance of thoroughly auditing and testing smart contracts for potential vulnerabilities, especially those related to access control and privilege management. Proper access control mechanisms should be implemented to prevent unauthorized elevation of privileges, even if an attacker acquires a small number of tokens.

Estimated losses

Web3 security firm Cyvers estimated the losses from the exploit to be around $16 million, attributing the breach to a “permission access logic vulnerability.” Curio assured its users that the exploit only affected the Ethereum side of their operations, while all Polkadot and Curio Chain contracts remained secure.

To address the situation and compensate affected users, Curio announced a plan to release a new token called CGT 2.0. The team promised to restore 100% of the funds for CGT holders using the new token. Additionally, Curio will conduct a fund compensation program for affected liquidity providers, which will be paid out in four stages over the course of one year, with each stage lasting 90 days.

Curio also announced that it would reward white hat hackers who assist in recovering the lost funds. Hackers who contribute to the initial recovery phase could receive a reward equivalent to 10% of the recovered funds.

Share this article