Curio Falls Victim to $16 Million Exploit Due to Voting Power Vulnerability
Curio, a project that aims to facilitate liquidity from real-world assets for firms, has been targeted by a smart contract exploit that is linked to a vulnerability in voting power privileges.
To address the issue, Curio has announced that it will be implementing a fund compensation program for affected liquidity providers. However, this program may take up to one year to complete.
The hack was likely the result of a vulnerability in the permissioned access logic, according to Web3 security firm Cyvers. This vulnerability allowed the attacker to create an additional 1 billion CGT tokens, resulting in the acquisition of CGT tokens worth nearly $16 million.
Curio had previously alerted its community to the smart contract exploit on March 23. The project assured its users that it is actively working to resolve the situation. They clarified that only the smart contract on the Ethereum side was affected, with all contracts on Polkadot and the Curio Chain remaining secure.
A post-mortem report on the exploit and a compensation plan for affected users were released by Curio on March 25. The report revealed that the issue stemmed from a flaw in the voting power privilege access control. The attacker gained access to a few Curio Governance (CGT) tokens, which allowed them to increase their voting power and execute actions within the Curio DAO contract, ultimately leading to the unauthorized minting of a large amount of CGT tokens.
In response to the exploit, Curio has announced plans to reward white hat hackers who assisted in recovering the lost funds. The team has stated that these hackers may receive a reward equivalent to 10% of the recovered funds during the initial recovery phase.
Furthermore, all funds affected by the attack will be returned to the affected parties. To facilitate this, Curio will introduce a new token called CGT 2.0, which will be used to restore 100% of the funds for CGT holders.
Curio has also outlined a fund compensation program for liquidity providers impacted by the exploit. This program will be carried out in four stages, each lasting 90 days. During each stage, compensation will be paid in USDC or USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools. It is estimated that the entire compensation process may take up to one year to complete.
In February, losses due to hacks and scams in the cryptocurrency industry decreased to approximately $67 million, which is roughly half of the amount recorded in January. All of the attack vectors were related to the decentralized finance (DeFi) sector, while centralized platforms remained unaffected.
The majority of the losses in February were attributed to hacks of the gaming platform PlayDapp and the decentralized exchange FixedFloat, which collectively lost $58.45 million. Additionally, cryptocurrency casino Duelbits suffered a loss of $4.6 million due to a compromised private key.