Curio, a project focused on facilitating liquidity from real-world assets for firms, recently experienced a smart contract exploit related to a vulnerability in voting power privileges. This exploit allowed an attacker to mint an additional 1 billion CGT tokens, resulting in almost $16 million worth of tokens being obtained. The hack most likely occurred due to a vulnerability in the permissioned access logic within the smart contract. Curio has assured its community that it is actively addressing the situation and that all contracts on Polkadot and the Curio Chain remained secure despite the exploit.
After notifying its community of the exploit, Curio released a post-mortem report outlining the issue as stemming from a voting power privilege access control flaw. The attacker gained access to Curio Governance (CGT) tokens, enabling them to increase their voting power within the project’s smart contract. This elevated voting power allowed the attacker to execute actions within the Curio DAO contract, ultimately leading to the unauthorized minting of a large quantity of CGT tokens. Curio also announced plans to reward white hat hackers who assisted in recovering the lost funds and to return all funds affected by the attack to the affected parties through the creation of a new token called CGT 2.0.
In response to the exploit, Curio revealed a compensation program for liquidity providers affected by the hack, which will be conducted in four stages, each lasting 90 days. During each stage, compensation will be paid in USDC or USDT equivalent to 25% of the losses incurred by the affected token in the liquidity pools. This staged approach indicates that the total compensation process may take up to one year to complete. The project is also implementing enhanced security measures to prevent future incidents and is working on a recovery strategy from the exploit to mitigate the impact on affected users.
In February, losses due to hacks and scams decreased to around $67 million, which was approximately half the figure reported in January. The majority of the losses in February were related to the decentralized finance (DeFi) sector, with centralized platforms remaining unaffected. The largest losses were attributed to hacks of the gaming platform PlayDapp and the decentralized exchange FixedFloat, collectively losing $58.45 million. Additionally, cryptocurrency casino Duelbits suffered a loss of $4.6 million due to a compromised private key. Despite the decrease in losses compared to January, security vulnerabilities in the DeFi sector continue to pose risks to users and platforms.
