Curio, a real-world asset (RWA) liquidity firm, recently experienced a smart contract exploit that resulted in the theft of $16 million in digital assets. The exploit was related to a critical vulnerability concerning voting power privileges. Curio promptly informed its community about the incident and reassured users that only the Ethereum side of operations was affected, with all Polkadot and Curio Chain contracts remaining secure.
Cyvers, a web3 security firm, estimated the losses from the exploit to be around $16 million. According to the firm, the exploit was due to a “permission access logic vulnerability.”
In a post-mortem report and compensation plan released on March 25, Curio explained that the flaw lay in the voting power privilege access control. The attacker managed to obtain a small number of Curio Governance (CGT) tokens, which allowed them to increase their voting power within the project’s smart contract.
Using this elevated voting power, the attacker executed a series of actions that resulted in the unauthorized minting of 1 billion CGT. Curio assured its users that all the funds affected by the exploit would be returned. To achieve this, the company planned to introduce a new token called CGT 2.0, through which they promised to restore 100% of the funds for CGT holders.
Curio also outlined a fund compensation program for liquidity providers, which would be paid out in four stages over a period of 90 days each. This means that it could potentially take up to one year for full payment to be completed. Additionally, Curio announced that it would reward white hat hackers who assisted in recovering the lost funds, offering them a reward equivalent to 10% of the funds recovered during the initial recovery phase.