YEREVAN (CoinChapter.com) — A hacker exploited a critical flaw in Curio, a firm that deals with real-world asset liquidity related to voting rights. This breach allowed them to snatch $16 million in digital assets.
Curio addressed its community regarding the security breach, emphasizing its proactive approach to managing the situation. They explained that the compromise stemmed from a MakerDAO-based smart contract utilized in their operations.
The company confirmed that the hack was limited to Ethereum, assuring users that contracts on both Polkadot and Curio Chain remain secure.
Curio’s $16M Exploit: Flaw and Fix Revealed
Cyvers, a Web3 security firm, reported that the Curio hacker misused a flaw in the ecosystem’s permissions management, gaining power over the ecosystem’s governance protocol.
Notably, the hacker first got hold of Curio’s native token CGT, using them to bump up their voting power in their official DAO contract. They ended up creating 1 billion extra CGT out of thin air.
Curio released a thorough analysis and a user compensation strategy on March 25 following the exploit. The report pinpointed a flaw in voting power access control as the issue.
Curio’s team has promised to refund all the money lost in the hack. They’re planning to launch CGT 2.0, a new token, to reimburse the CGT holders fully.
Furthermore, Curio announced a staggered compensation program for liquidity providers. They’ll distribute payments over four phases, each lasting 90 days. This approach suggests that completing all payments could span a full year.
“The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools.”
The company is offering a bounty to white hat hackers: help recover the lost funds and earn a reward. The team is ready to give these ethical hackers 10% of any funds they retrieve in the first phase of recovery.
