Curio, a venture dedicated to enabling liquidity from tangible assets for businesses, has encountered a setback due to a smart contract exploit linked to vulnerabilities in its voting power mechanisms.
In response, Curio has announced its intention to launch a fund compensation initiative for liquidity providers affected by the exploit. However, the process is expected to be lengthy, with estimates suggesting it could extend up to one year for completion.
Curio has disclosed a smart contract exploit and a vulnerability in its voting mechanism, pledging swift action and enhanced security measures to reassure users.
🚨ALERT🚨@curio_invest has experienced a $16M exploit involving a smart contract based on @MakerDAO within their ecosystem!
The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional 1B $CGT.… https://t.co/xWvvYzrWaI pic.twitter.com/mdrKyV3t9U
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 25, 2024
As per Cyvers, a Web3 security company, the breach is believed to have stemmed from a flaw in the permissioned access logic. This flaw enabled the attacker to generate an extra 1 billion CGT tokens, thereby acquiring CGT tokens valued at nearly $16 million.
The Cyvers Alerts notification follows Curio’s community warning regarding a smart contract exploit issued on March 23.
Community Alert: We've just been notified of a smart contract exploit within our ecosystem. Unfortunately, MakerDAO’s based Smart contract used within our ecosystem were exploited on the Ethereum side. We're actively addressing the situation and will keep you updated. Rest…
— Curio Ecosystem | Tokenize The World (@curio_invest) March 23, 2024
Curio informed its community about the exploit via a post on platform X, assuring them of active efforts to rectify the situation. It was disclosed that a MakerDAO-based smart contract used within Curio had been compromised.
Additionally, they reassured users that only the Ethereum-based smart contract was impacted, with all contracts on Polkadot and the Curio Chain remaining unaffected. The Curio Ecosystem team stated:
“Unfortunately, MakerDAO-based Smart contracts used within our ecosystem were exploited on the Ethereum side. We’re actively addressing the situation and will keep you updated. Rest assured, all Polkadot side and Curio Chain contracts remain secure.”
On March 25, Curio issued a post-mortem report concerning the exploit and unveiled a compensation strategy for impacted users. The report delineated that the root cause of the problem lay in a flaw in the access control mechanism governing voting power privileges.
The perpetrator managed to acquire a limited number of Curio Governance (CGT) tokens, thus augmenting their voting authority within the project’s smart contract. Leveraging this heightened voting power, the attacker orchestrated a sequence of maneuvers enabling them to undertake arbitrary actions within the Curio DAO contract, culminating in the illicit creation of a substantial volume of CGT tokens.
Curio unveils its recovery strategies and outlines a compensation initiative in the wake of the exploit.
🚀Exciting news! CurioDAO's recovery strategy from the recent exploit is underway. Here's what's happening:
– Swift Response: Our team acted immediately to contain the impact.
– Enhanced Security Measures: Implementing robust security protocols to prevent future incidents.
-…— Curio Ecosystem | Tokenize The World (@curio_invest) March 25, 2024
After the exploit, Curio has announced intentions to reward white hat hackers who aided in the recovery of the lost funds. The team specified that these hackers may receive a reward equal to 10% of the funds recovered during the initial phase of recovery.
Furthermore, Curio affirmed that all funds affected by the attack would be returned to the affected parties. To facilitate this, they introduced a new token named CGT 2.0, which will be utilized to fully restore the funds for CGT holders.
Additionally, Curio outlined a compensation program for liquidity providers affected by the exploit. This program will be executed in four consecutive stages, each spanning 90 days. Throughout each stage, compensation will be disbursed in USDC or USDT, covering 25% of the losses incurred by the second token in the liquidity pools. This phased approach indicates that complete compensation may require up to one year to finalize.
In February, losses stemming from hacks and scams decreased to approximately $67 million, nearly half of the January total. Notably, all attack vectors were associated with the decentralized finance (DeFi) sector, while centralized platforms remained unaffected.
The bulk of the losses in February were attributed to hacks of the gaming platform PlayDapp and the decentralized exchange FixedFloat, resulting in a combined loss of $58.45 million. Additionally, the cryptocurrency casino Duelbits experienced a loss of $4.6 million due to a compromised private key.
