Hacker mints 1B tokens in $16M Curio smart contract exploit
Real-world asset (RWA) liquidity firm Curio suffered a smart contract exploit involving a critical vulnerability related to voting power privileges, allowing the attacker to steal $16 million in digital assets.
Curio alerted its community of the exploit and highlighted that they are addressing the situation. The company said that a MakerDAO-based smart contract used within Curio was breached.
However, the company assured its users that the exploit only affected the Ethereum side and that all Polkadot and the Curio Chain contracts remained secure.
Web3 security firm Cyvers estimated that the losses from the exploit are about $16 million. The security firm said the exploit involved a “permission access logic vulnerability.”
On March 25, Curio published a post-mortem of the exploit and a compensation plan for affected users. Within the report, Curio highlighted that the problem was a flaw in the voting power privilege access control.
With this, the attacker acquired a small number of Curio Governance (CGT) tokens, allowing them to gain access and elevate their voting power in the project’s smart contract.
With the elevated voting power, the attacker performed a series of steps that ultimately allowed the execution of arbitrary actions within the Curio DAO contract. This led to the unauthorized minting of 1 billion CGT.
In the report, Curio said all the funds affected in the exploit will be returned. The team said it would release a new token called CGT 2.0. With the new token, the team promised to restore 100% of the funds for CGT holders.
Related: Hacker moves $10M from 2023 phishing incident to Tornado Cash
For liquidity providers, Curio said that it will conduct a fund compensation program. The team said it will be paid in four stages, with each stage lasting 90 days. This could mean that full payment could potentially take one year. They wrote:
“The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools.”
The company also said that it would reward white hat hackers who can help in recovering the lost funds. The team said that hackers could receive a reward equivalent to 10% of funds recovered in the initial recovery phase.
Magazine: ‘Am I sorry? No’ — 3AC founder. $6B BTC laundered for fast food worker: Asia Express
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Ethereum Crosses $3,400 as WFL Makes Second Major ETH Investment
Ripple CEO Reveals the Truth About the Amount of XRP on the Company's Balance Sheet
Tether to Build 70-Story Skyscraper in El Salvador, Symbol of Prosperity
Tech giants bounce back after AI disruption, S&P 500 nears record high
Share link:In this post: Last week, the largest tech firms in the US experienced huge challenges from Chinese AI, DeepSeek. Apple and Meta reported positive results, boosting the S&P 500. The Magnificent Seven’s price-to-earnings ratio is now 31.
Trending news
MoreCrypto prices
More
