<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: CurioDAO Flow of Funds Analysis

CurioDAO is a multichain platform focused on real-world asset tokenization, enhancing liquidity through various mechanisms such as stablecoins, a launchpad, and Automated Market Makers.

The platform is governed by the Curio Governance Token (CGT), allowing holders to participate in decision-making processes related to the Curio Creator Protocol.

On the 23rd of March 2024, a vulnerability in the voting power privilege access control was exploited, leading to a significant security breach. The attacker gained access to Curio Governance (CGT) tokens, allowing them to increase their voting power within the project's smart contract. With this elevated voting power, the attackers were able to execute the unauthorized minting of a large quantity of CGT tokens. 

While the attackers are currently sitting on $39.7 billion worth of CGT tokens, the losses incurred by the platform are ~ $140k on Ethereum and ~ $37k on the Binance Smart Chain. 

Merkle Science’s Flow of Funds Analysis

Token Symbol

Token Value

Value (USD)

Blockchain

ETH

2.9583

$10,607.51

Ethereum

DAI

34,925.1834

$34,960.11

Ethereum

SKL

104,879.2193

$12,514.15

Ethereum

WETH

23

$82,416.61

Ethereum

Total

 

$140,498.38

Ethereum

       

BNB

64.2347

$37,246.27

Binance SC

Total

 

$37,246.27

Binance SC

 

How the exploit was executed:

  1. The exploit likely stemmed from a critical vulnerability in the voting power privilege access control within a MakerDAO-based smart contract used by CurioDAO.
  2. The attacker created a malicious contract to execute the exploit.
  3. The attacker acquired a small number of Curio Governance (CGT) tokens, which granted them initial access to the project's smart contract.
  4. By leveraging the acquired CGT tokens, the attacker manipulated the smart contract to increase their voting power within the Curio DAO significantly.
  5. The attacker exploited the vulnerability to mint an additional 1 billion CGT tokens illicitly, significantly increasing their holdings within the project.
  6. With the control of the voting power, the attacker carried out multiple transactions to acquire arbitrary gains worth ~ $140k
  7. The proceeds from the exploit are currently idle under the control of the attacker and we have not witnessed any movement of funds.

 

Mitigating Access Control Risks

Access control vulnerabilities pose substantial risks to organizations, leading to potential financial losses, data breaches, and reputational damage. Exploitation of these vulnerabilities can result in unauthorized access to sensitive resources, leading to data exfiltration, system compromise, and service disruptions. Therefore, meticulous configuration of access controls, adherence to principles like least privilege, and proactive identification and mitigation of vulnerabilities are imperative to an organization's security posture and avert the detrimental consequences of access control weaknesses.