A recent cyberattack on Curio, a company specializing in liquidity solutions for real-world assets, resulted in the loss of $16 million in cryptocurrency. The security failure occurred within a MakerDAO-based smart contract, which Curio utilized. The attacker exploited a flaw in the voting power feature of the contract, allowing unauthorized access and subsequent theft of funds. Curio has informed its community about the breach and has actively taken steps to manage the aftermath.
Details on the Smart Contract Security Breach
Curio assured its stakeholders that only Ethereum-based contracts were impacted, with Polkadot and Curio Chain operations remaining unaffected. Cyvers, a Web3 security company, identified the exploited vulnerability as a flaw in permission access logic. According to their analysis, the financial damage is estimated to be around $16 million.
The breach allowed the hacker to obtain a small quantity of Curio Governance Tokens (CGT), manipulate the smart contract to increase their voting power, and ultimately mint 1 billion illegitimate CGT. On March 25th, Curio dissected the event and proposed a plan to reimburse impacted parties.
Curio’s Response and Compensation Strategy
In response to the attack, Curio has pledged to refund all affected funds and introduced a new token, CGT 2.0, which aims to fully restore the value for CGT holders. Additionally, a compensation fund program for liquidity providers has been established, with repayments structured in four 90-day phases. This approach indicates that complete reimbursement could extend over one year. Curio also incentivized white-hat hackers to assist in recapturing the stolen funds, offering a 10% reward of the recovered sum during the first stage of the recovery effort.