Curio, a real-world asset (RWA) liquidity firm, encountered a significant smart contract exploit, resulting in the theft of $16 million in digital assets. Despite the breach, Curio promptly alerted its community and assured users that only the Ethereum side was affected, with Polkadot and Curio Chain contracts remaining secure. Cyvers, a web3 security firm, estimated the losses at $16 million, identifying a critical vulnerability related to voting power privileges as the root cause of the exploit.
In response to the breach, Curio swiftly published a post-mortem report outlining the details of the exploit and introduced a compensation plan for affected users. The report highlighted a flaw in the voting power privilege access control, which allowed the attacker to acquire a small number of Curio Governance (CGT) tokens and gain elevated voting power within the project’s smart contract. This elevated voting power enabled the attacker to execute arbitrary actions, leading to the unauthorized minting of 1 billion CGT.
Curio reassured users that all funds affected by the exploit would be returned, announcing the release of a new token called CGT 2.0. Additionally, the company pledged to restore 100% of the funds for CGT holders and initiated a fund compensation program for liquidity providers. The compensation program will be conducted in four stages, each lasting 90 days, potentially taking one year to complete. Curio also incentivized white hat hackers to assist in recovering lost funds, offering rewards equivalent to 10% of the funds recovered during the initial recovery phase.
