• Blockbasis
  • Posts
  • Curio: The $16M Ethereum Exploit Unveiled

Curio: The $16M Ethereum Exploit Unveiled

Curio's $16M Ethereum Exploit Fallout: Retiring CGT Token, Two-Stage Compensation Plan, Smart Contract Security Revamp, and the Ongoing Debate Over In-House vs. External Audits


Spring's bloom turned sour for Curio as a $16 million exploit shook their Ethereum playground, leading to the retirement of their original CGT token. Now, amidst whispers of cross-chain financial maneuvers, CurioDAO unveils a two-stage compensation plan and vows a smart contract security overhaul. Dive into the drama!

Make Sure This Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

Curio’s Ethereum-based MakerDAO smart contract was compromised, resulting in a $16 million loss due to a critical flaw in voting power privileges.

Curio was the first to report that the breach was confined to the Ethereum ecosystem, assuring that all Polkadot and Curio Chain contracts remain unaffected.

The attack went beyond basic governance manipulation, involving complex financial maneuvers with token swaps and cross-chain transfers.

The perpetrator still holds 996 billion CGT tokens. Due to CGT's limited market liquidity, estimating the full extent of the damage is challenging.

Is this just the beginning of a turbulent season for digital assets?

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

Over the spring weekend, the Curio Ecosystem, renowned for bridging traditional finance and decentralized finance through tokenized real-world assets, experienced a significant setback with a $16 million breach.

On March 23, 2024, the CurioDAO Association disclosed that their voting protocol was exploited via a smart contract based on MakerDAO’s fork.

Cybersecurity firm Hacken provided a detailed analysis of the breach, revealing that the attack commenced through the "cook" function of an exploitative contract.

This function manipulated the "IDSChief" and "IDSPause" contracts, enabling the attacker to carry out governance manipulation and mass token minting.

The attacker exploited this vulnerability by acquiring a small number of CGT tokens, subsequently increasing their voting power within the project's contract. By locking these tokens and voting, they managed to execute a delegate call to a malicious contract. This breach not only involved minting tokens and manipulating governance but also employed sophisticated financial strategies, including token swaps and cross-chain transfers, likely designed to obscure the origins of the minted tokens.

The attacker’s address and transaction details are:

  • Attacker Address: 0xdaAa6294C47b5743BDafe0613d1926eE27ae8cf5

  • Attacker Transaction: 0x4ff4028b03c3df468197358b99f5160e5709e7fce3884cc8ce818856d058e106

Despite the breach, CurioDAO assured that the impact was confined to the Ethereum side of their technology stack. On March 25, CurioDAO outlined an exploit recovery strategy that includes a two-stage compensation plan:

  1. The issuance of a new token, CGT 2.0, to replace the current CGT token susceptible to exploits.

  2. A funds compensation program linked to the new token in liquidity pools, which will unfold in four consecutive stages, each lasting 90 days.

CurioDAO plans to develop and deploy a patch to address the vulnerability in the voting power privilege access control. This patch will undergo rigorous testing to ensure it effectively mitigates similar exploits in the future. Additionally, CurioDAO intends to enhance smart contract security through stricter access controls, comprehensive code audits, and additional layers of security validation.

Interestingly, no known external audits of Curio's security protocols were found, suggesting that the organization may rely on in-house security measures. The recovery strategy mentions leveraging internal expertise and best practices in smart contract development and security auditing.

As part of their recovery efforts, CurioDAO is also offering rewards to white hat hackers, providing 10% of recovered proceeds during the first week and 5% thereafter, up to May 25th.

This incident raises the question: Could external audits have provided better protection for Curio, compared to relying solely on in-house security measures?

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

Spring has brought more than just flowers for Curio, as a $16 million exploit has not only wiped out a significant sum but also led to the retirement of their original CGT token.

In response to the breach, CurioDAO has proposed a two-stage compensation plan involving the introduction of a new token, CGT 2.0, which may offer some reassurance to affected stakeholders. Despite Curio's assurance that the exploit was confined to their Ethereum-based operations, the attacker remains in possession of 996 billion CGT tokens.

There is speculation that the attacker may leverage these tokens in a complex financial scheme involving cross-chain swaps. This raises concerns about the potential for further exploitation and the broader implications for Curio's ecosystem.

CurioDAO has promised to enhance smart contract security to address any loss of trust among its community. Whether these measures will be sufficient to restore confidence remains to be seen. The decision to keep security operations in-house has come under scrutiny, especially in light of this significant breach.

Launching projects without comprehensive external security audits can lead to vulnerabilities being discovered too late, as this incident demonstrates. The recurring nature of such risks underscores the need for the industry to invest more in preventive measures and proactive security strategies. This incident prompts a critical question: Is the prevalence of post-facto risk detection an indication that the industry is lagging in its commitment to robust security protocols?