A hacker exploits a Curio smart contract, generating 1 billion tokens valued at 16 million Dollars

Crypto News– Curio, a firm specializing in real-world asset (RWA) liquidity, found itself embroiled in a significant security breach when a smart contract exploit surfaced, resulting in the loss of $16 million worth of digital assets. The exploit, stemming from a critical vulnerability related to voting power privileges within a MakerDAO-based smart contract utilized by Curio, sent shockwaves through the community and prompted an urgent response from the company. While the breach specifically impacted the Ethereum side of Curio’s operations, the integrity of its Polkadot and Curio Chain contracts remained intact, offering some relief amid the crisis.

A hacker exploits a Curio smart contract, generating 1 billion tokens valued at 16 million Dollars

In the wake of the exploit, Curio swiftly informed its user base about the incident and reassured them of its commitment to addressing the issue with utmost urgency and transparency. However, the severity of the situation became apparent as cybersecurity firm Cyvers estimated the total losses stemming from the exploit to be approximately $16 million, attributing the breach to a critical permission access logic vulnerability.

🚨ALERT🚨@curio_invest has experienced a $16M exploit involving a smart contract based on @MakerDAO within their ecosystem!

The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional 1B $CGT.… https://t.co/xWvvYzrWaI pic.twitter.com/mdrKyV3t9U

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 25, 2024

To mitigate the fallout from the breach, Curio took decisive action by releasing a detailed post-mortem report, outlining the specifics of the exploit and unveiling a comprehensive compensation plan for affected users. The report shed light on the underlying flaw in the voting power privilege access control mechanism, which allowed the attacker to manipulate Curio Governance (CGT) tokens, ultimately leading to the unauthorized minting of a staggering 1 billion CGT.

The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools.

Curio Chain

In response to the breach, Curio made a firm commitment to fully reimburse all affected parties for their losses. The company announced the introduction of CGT 2.0, a new token aimed at restoring 100% of funds for CGT holders impacted by the exploit. Additionally, Curio pledged to initiate a fund compensation program tailored to liquidity providers, which would unfold over four stages spanning 90 days each, potentially culminating in a year-long endeavor to ensure full restitution.