Curio Voting Power Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Curio Invest Logo/Homepage

CurioInvest offers a platform to tokenize various assets, providing liquidity and allowing assets to be used as collateral or locked into DeFi for rewards. Curio Group expands on this, offering digital tools for real-world assets and intellectual property, with a focus on tokenization and liquidity. However, CurioDAO, a key component, faced a significant exploit due to a vulnerability in its voting power control. The exploit resulted in the unauthorized minting of ~1 billion CGT tokens. Despite this setback, the Curio team is taking swift action, including launching CGT 2.0 to replace the vulnerable token, compensating affected liquidity providers, and deploying patches to enhance security. They also plan to engage in regular security audits, foster community engagement, and provide education on smart contract security.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10]

About CurioDAO

"Meet the better way to tokenize anything, anywhere. With CurioInvest you can unlock value from tangible and intangible assets. Resell your asset to a new market segment entirely - or fractionally. Every asset may be used as a collateral for a loan or may be locked into DeFi to earn rewards. All from one ecosystem."

"Curio Group provides firms and asset originators with digital tools to create a market for their RWA and IP. In 2019 we were the first in the world to tokenize a fine collectible rare car and have expanded to 9 asset classes since then. Today we bring further liquidity via open-sourced CurioDAO multichain protocol, a real-asset-backed stablecoin, and AMM within one single experience."

"Rollapp enables users to earn income on their real assets, freeing up capital and allowing crypto investors to trade their way to diversify with a real asset portfolio. A marketplace enables the creation of physical NFTs as well as the direct investment into asset originators' real assets. Asset originators consign their real assets digitally, decreasing costs and, addressing key liquidity gaps."

"CurioDAO Creator Protocol - A system that enables you to lend your physical NFTs in exchange for instant liquidity in the form of Curio Stablecoin Coin pegged to Swiss Franc."

"As per Ancilla, the primary vulnerability exploited in the Curio DAO was a flaw in the voting power privilege access control. The attacker leveraged this vulnerability by acquiring a small number of CGT tokens, thereby gaining access to elevate their voting power within the project’s contract. This elevated voting power allowed the attacker to execute the ‘plot’ function, approving a malicious contract which acted as an ‘exec’ library. Through a delegatecall to this malicious library, the attacker was able to execute arbitrary actions within the Curio DAO contract, ultimately resulting in the unauthorized minting of ~1 Billion $CGT tokens."

"The attack was initiated through the "cook" function of an attack contract, which played a crucial role in leveraging the "IDSChief" and "IDSPause" contracts to execute a governance manipulation and mass token minting scheme."

"The attacker leveraged this vulnerability by acquiring a small number of CGT tokens, thereby gaining access to elevate their voting power within the project’s contract."

"By locking these tokens and voting, they gained control, allowing them to execute a delegate call to a malicious contract."

"The exploit not only involved minting tokens and manipulating governance but also complex financial strategies such as token swaps and cross-chain transfers, likely in an attempt to distribute and disguise the origin of the minted tokens.."

"The various swaps and transfers indicate a methodical plan to distribute and perhaps obscure the trail of the minted tokens across multiple platforms and blockchains."

"Community Alert: We've just been notified of a smart contract exploit within our ecosystem. Unfortunately, MakerDAO’s based Smart contract used within our ecosystem were exploited on the Ethereum side. We're actively addressing the situation and will keep you updated. Rest assured, all Polkadot side and Curio Chain contracts remain secure."

"This only impacted a portion of our ecosystem which highlights the importance for a multi chain infrastructure. Please be so kind to wait for a recovery plan to be published."

"Despite the incident within the CurioDAO, that the impact was confined to the Ethereum Virtual Machine (EVM) side of Curio’s technology stack. Notably, Curio Chain, which is built on Polkadot’s framework, remained unaffected by the exploit. Additionally, the Real-World Asset (RWA) mechanism, a cornerstone of CurioInvest’s platform, remained resilient and secure throughout the incident."

"The exploiter is still holding 996 Billion CGT. The total loss is significant, but difficult to calculate, because of the limited market liquidity of CGT."

"The Curio team will release a new token CGT 2.0 instead of the current CGT token that is susceptible to exploit attacks. 100% of funds in CGT tokens will be restored for CGT holders, including liquidity providers, as well as users of centralized exchanges. CGT will be restored on Ethereum and other networks supported by the CurioDAO ecosystem: Binance Smart Chain, SKALE chain, and Boba network. The CGT relaunch process is planned to be carried out within 2 weeks starting from now."

"Next, for liquidity providers, a funds compensation program related to the second token in the liquidity pools will be launched. The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools. The compensation program will be conducted for all liquidity pools on all networks supported by the CurioDAO ecosystem (Binance Smart Chain, SKALE chain, Boba network) that have been affected by the exploit. In this way, it is planned to pay all compensations within one year."

"Also, an airdrop of CGT 2.0 tokens will be conducted amounting to 10% of the CurioDAO Treasury as a bonus for all customers."

"Patch Deployment: Develop and deploy a patch to address the identified vulnerability in the voting power privilege access control. This patch will undergo rigorous testing to ensure its effectiveness in mitigating similar exploits in the future.

CGT 2.0 Launch: Perform the launch of a new CGT 2.0 token and distribute CGT 2.0 based on the snapshot before the exploit implementation, thereby restoring the integrity of the Curio token economy and mitigating any potential market impacts.

Smart Contract Upgrade: Implement upgrades to the Curio DAO smart contract to enhance security measures and prevent similar exploits from occurring in the future. This includes implementing stricter access controls, code auditing, and additional layers of security validation."

"Security Audits: Engage additional reputable third-party security firms to conduct regular security audits and penetration testing on the Curio DAO smart contracts and infrastructure. These audits will help identify and remediate any potential vulnerabilities proactively.

Community Engagement: Foster a culture of transparency, accountability, and community involvement within the Curio ecosystem. Regular updates, governance discussions, and community feedback mechanisms will be established to ensure ongoing collaboration and alignment of interests.

Education and Training: Provide education and training programs for developers, stakeholders, and community members to raise awareness about best practices in smart contract security, risk management, and incident response protocols."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Curio Voting Power Exploit
Date Event Description
March 23rd, 2024 11:53:23 AM MDT Exploit Transaction Time The time of the transaction on the blockchain.
March 23rd, 2024 2:31:00 PM MDT Curio Tweet Update Curio posts a tweet to announce the vulnerability on Twitter.
March 25th, 2024 9:45:00 AM MDT Hacken Report Hacken publishes a report outlining the attack and the original vulnerability.
March 25th, 2024 1:50:38 PM MDT CurioDAO Recovery Plan CurioDAO Association prepares a recovery plan and provides more details of the attack.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

Ethereum: ~$113k losses - Binance Smart Chain: ~$38k losses - SKALE chain: ~$28k losses - Boba network: ~$1k losses

The total amount lost has been estimated at $180,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Curio - REKT (Apr 24, 2024)
  2. @curio_invest Twitter (Apr 24, 2024)
  3. Curio Chain | Instagram | Linktree (Apr 24, 2024)
  4. CurioInvest leads you into the digital asset world (Apr 24, 2024)
  5. @curio_invest Twitter (Apr 24, 2024)
  6. Ethereum Transaction Hash (Txhash) Details | Etherscan (Apr 24, 2024)
  7. @hackenclub Twitter (Apr 24, 2024)
  8. eth-0x4ff4028b03c3df468197358b99f5160e5709e7fce3884cc8ce818856d058e106 | MetaSleuth (Apr 24, 2024)
  9. Curiodaos Recovery Plan (Apr 24, 2024)
  10. @RektHQ Twitter (Apr 24, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Curio_Voting_Power_Exploit&oldid=5696"