Curio, a real-world asset (RWA) liquidity company, fell victim to a critical smart contract vulnerability, resulting in the theft of $16 million in digital assets. The company promptly notified the community of the incident and assured users that they are actively working to address the issue. The vulnerability was identified in the MakerDAO-based smart contracts utilized by Curio, affecting the Ethereum side of operations, while contracts on Polkadot and Curio Chain remained unaffected.
Web3 security firm Cyvers estimated the cost of the vulnerability at approximately $16 million, attributing it to a flaw in the privileged access logic. Curio released a postmortem report detailing the vulnerability and outlined a compensation plan for affected users. The vulnerability stemmed from a flaw in privileged access controls for voting rights, allowing attackers to gain unauthorized access and manipulate Curio's DAO contracts.
Exploiting the flaw, the attacker acquired Curio Governance (CGT) tokens, escalating their voting power within the project's smart contracts. Subsequently, the attacker executed actions that led to the unauthorized minting of 1 billion CGT tokens. However, Curio reassured users that all affected funds would be returned. To achieve this, the team plans to introduce a new token, CGT 2.0, and ensure the full restoration of funds for CGT holders.
Furthermore, Curio outlined a compensation plan for liquidity providers, spanning four phases over 90 days each, with payments made in USDC/USDT equivalent to 25% of the loss incurred in the liquidity pool's second token. This phased approach to compensation indicates that full reimbursement may take up to a year to complete. Additionally, Curio expressed its intention to reward white hat hackers who assist in recovering lost funds, offering a reward equivalent to 10% of the recovered funds during the initial recovery phase.



















