Curio DAO Hack - March 2024
The Exploit
On March 23, 2024, CurioDAO Association announced its voting protocol experienced an exploit involving a smart contract based on MakerDAO's fork. The exploit affected the EVM side of Curio's tech stack and resulted in a $16M loss.
Technical Root Cause
The exploit stemmed from a permission access logic vulnerability (a voting power check flaw in a MakerDAO fork). The attacker was able to leverage this vulnerability to mint an additional ~1 Billion CGT tokens.
Attack Vector / Steps
1. The attacker acquired a small number of CGT tokens.
2. Using these, the attacker was able to elevate their voting power within the project's contract due to flawed access logic.
3. With elevated voting power, the attacker executed the
plot function, approving a malicious contract that acted as an exec library.4. Through a
delegatecall to this malicious library, the attacker executed arbitrary actions within the Curio DAO contract.5. Final result: unauthorized minting of approximately 1 Billion CGT tokens, then dumping/swapping for ~$16m of value.
Impact Containment
• The impact was confined to the Ethereum Virtual Machine (EVM) side of Curio's stack
• Curio Chain (built on Polkadot's framework) remained unaffected
Recovery Plan
• On March 25, 2024, Curio released a post-mortem report and a compensation plan
• Plan included launching a new CGT 2.0 token and closing the exploited vulnerabilities
• Compensation program ran in four consecutive 90-day stages
• During each stage, compensation was paid in USDC or USDT amounting to 25% of losses incurred by the second token in the affected liquidity pools
Sources