Curio, a real-world asset (RWA) liquidity firm, has reportedly fallen victim to a smart contract exploit that resulted in the theft of $16 million worth of digital assets. The breach was related to a critical vulnerability concerning voting power privileges, which allowed the attacker to carry out the theft. Curio promptly notified its community about the incident and assured them that the breach only impacted Ethereum-related contracts, with contracts related to Polkadot and the Curio Chain remaining secure. An estimate by cybersecurity firm Cyvers suggests that the losses from the exploit amount to approximately $16 million. The firm characterized the exploit as a “permission access logic vulnerability.”
Curio has since published a post-mortem report detailing the exploit and its plan to compensate affected users. The report revealed that the breach occurred due to a flaw in the access control of voting power privileges. By acquiring a small number of Curio Governance (CGT) tokens, the attacker gained elevated voting power within the smart contract and executed a series of actions that ultimately resulted in the unauthorized minting of 1 billion CGT tokens. Curio pledged to return all the funds affected by the exploit and announced the creation of a new token called CGT 2.0, which will ensure the full restoration of funds for CGT holders.
To compensate liquidity providers, Curio outlined a four-stage fund compensation program, with each stage lasting 90 days. This implies that the complete payment process may take up to one year. During each stage, compensation will be paid in USDC/USDT, equivalent to 25% of the losses incurred by the second token in the liquidity pools. Curio expressed its intention to reward white hat hackers who assist in recovering the stolen funds. These hackers may receive a reward amounting to 10% of the funds recovered in the initial recovery phase.
The company’s objective is to rectify the consequences of the exploit, ensure full compensation for affected users, and prevent similar incidents from occurring in the future. It has taken immediate action to mitigate the situation, address the vulnerability, and implement corrective measures. Curio remains committed to the security of its platform and will continue working towards providing a safe environment for its community and stakeholders.
It’s nice that they want to prevent future incidents, but they should have prioritized security from the start! 🤦♀️🚧