$180 000 USD

MARCH 2024




"Meet the better way to tokenize anything, anywhere. With CurioInvest you can unlock value from tangible and intangible assets. Resell your asset to a new market segment entirely - or fractionally. Every asset may be used as a collateral for a loan or may be locked into DeFi to earn rewards. All from one ecosystem."


"Curio Group provides firms and asset originators with digital tools to create a market for their RWA and IP. In 2019 we were the first in the world to tokenize a fine collectible rare car and have expanded to 9 asset classes since then. Today we bring further liquidity via open-sourced CurioDAO multichain protocol, a real-asset-backed stablecoin, and AMM within one single experience."


"Rollapp enables users to earn income on their real assets, freeing up capital and allowing crypto investors to trade their way to diversify with a real asset portfolio. A marketplace enables the creation of physical NFTs as well as the direct investment into asset originators' real assets. Asset originators consign their real assets digitally, decreasing costs and, addressing key liquidity gaps."


"CurioDAO Creator Protocol - A system that enables you to lend your physical NFTs in exchange for instant liquidity in the form of Curio Stablecoin Coin pegged to Swiss Franc."


"As per Ancilla, the primary vulnerability exploited in the Curio DAO was a flaw in the voting power privilege access control. The attacker leveraged this vulnerability by acquiring a small number of CGT tokens, thereby gaining access to elevate their voting power within the project’s contract. This elevated voting power allowed the attacker to execute the ‘plot’ function, approving a malicious contract which acted as an ‘exec’ library. Through a delegatecall to this malicious library, the attacker was able to execute arbitrary actions within the Curio DAO contract, ultimately resulting in the unauthorized minting of ~1 Billion $CGT tokens."


"The attack was initiated through the "cook" function of an attack contract, which played a crucial role in leveraging the "IDSChief" and "IDSPause" contracts to execute a governance manipulation and mass token minting scheme."


"The attacker leveraged this vulnerability by acquiring a small number of CGT tokens, thereby gaining access to elevate their voting power within the project’s contract."


"By locking these tokens and voting, they gained control, allowing them to execute a delegate call to a malicious contract."


"The exploit not only involved minting tokens and manipulating governance but also complex financial strategies such as token swaps and cross-chain transfers, likely in an attempt to distribute and disguise the origin of the minted tokens.."


"The various swaps and transfers indicate a methodical plan to distribute and perhaps obscure the trail of the minted tokens across multiple platforms and blockchains."


"Community Alert: We've just been notified of a smart contract exploit within our ecosystem. Unfortunately, MakerDAO’s based Smart contract used within our ecosystem were exploited on the Ethereum side. We're actively addressing the situation and will keep you updated. Rest assured, all Polkadot side and Curio Chain contracts remain secure."


"This only impacted a portion of our ecosystem which highlights the importance for a multi chain infrastructure. Please be so kind to wait for a recovery plan to be published."


"Despite the incident within the CurioDAO, that the impact was confined to the Ethereum Virtual Machine (EVM) side of Curio’s technology stack. Notably, Curio Chain, which is built on Polkadot’s framework, remained unaffected by the exploit. Additionally, the Real-World Asset (RWA) mechanism, a cornerstone of CurioInvest’s platform, remained resilient and secure throughout the incident."


"The exploiter is still holding 996 Billion CGT. The total loss is significant, but difficult to calculate, because of the limited market liquidity of CGT."


"The Curio team will release a new token CGT 2.0 instead of the current CGT token that is susceptible to exploit attacks. 100% of funds in CGT tokens will be restored for CGT holders, including liquidity providers, as well as users of centralized exchanges. CGT will be restored on Ethereum and other networks supported by the CurioDAO ecosystem: Binance Smart Chain, SKALE chain, and Boba network. The CGT relaunch process is planned to be carried out within 2 weeks starting from now."


"Next, for liquidity providers, a funds compensation program related to the second token in the liquidity pools will be launched. The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools. The compensation program will be conducted for all liquidity pools on all networks supported by the CurioDAO ecosystem (Binance Smart Chain, SKALE chain, Boba network) that have been affected by the exploit. In this way, it is planned to pay all compensations within one year."


"Also, an airdrop of CGT 2.0 tokens will be conducted amounting to 10% of the CurioDAO Treasury as a bonus for all customers."


"Patch Deployment: Develop and deploy a patch to address the identified vulnerability in the voting power privilege access control. This patch will undergo rigorous testing to ensure its effectiveness in mitigating similar exploits in the future.


CGT 2.0 Launch: Perform the launch of a new CGT 2.0 token and distribute CGT 2.0 based on the snapshot before the exploit implementation, thereby restoring the integrity of the Curio token economy and mitigating any potential market impacts.


Smart Contract Upgrade: Implement upgrades to the Curio DAO smart contract to enhance security measures and prevent similar exploits from occurring in the future. This includes implementing stricter access controls, code auditing, and additional layers of security validation."


"Security Audits: Engage additional reputable third-party security firms to conduct regular security audits and penetration testing on the Curio DAO smart contracts and infrastructure. These audits will help identify and remediate any potential vulnerabilities proactively.


Community Engagement: Foster a culture of transparency, accountability, and community involvement within the Curio ecosystem. Regular updates, governance discussions, and community feedback mechanisms will be established to ensure ongoing collaboration and alignment of interests.


Education and Training: Provide education and training programs for developers, stakeholders, and community members to raise awareness about best practices in smart contract security, risk management, and incident response protocols."

CurioInvest offers a platform to tokenize various assets, providing liquidity and allowing assets to be used as collateral or locked into DeFi for rewards. Curio Group expands on this, offering digital tools for real-world assets and intellectual property, with a focus on tokenization and liquidity. However, CurioDAO, a key component, faced a significant exploit due to a vulnerability in its voting power control. The exploit resulted in the unauthorized minting of ~1 billion CGT tokens. Despite this setback, the Curio team is taking swift action, including launching CGT 2.0 to replace the vulnerable token, compensating affected liquidity providers, and deploying patches to enhance security. They also plan to engage in regular security audits, foster community engagement, and provide education on smart contract security.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.