CurioDAO is a multichain platform focused on real-world asset tokenization, enhancing liquidity through various mechanisms such as stablecoins, a launchpad, and Automated Market Makers.
The platform is governed by the Curio Governance Token (CGT), allowing holders to participate in decision-making processes related to the Curio Creator Protocol.
On the 23rd of March 2024, a vulnerability in the voting power privilege access control was exploited, leading to a significant security breach. The attacker gained access to Curio Governance (CGT) tokens, allowing them to increase their voting power within the project's smart contract. With this elevated voting power, the attackers were able to execute the unauthorized minting of a large quantity of CGT tokens.
While the attackers are currently sitting on $39.7 billion worth of CGT tokens, the losses incurred by the platform are ~ $140k on Ethereum and ~ $37k on the Binance Smart Chain.
Token Symbol |
Token Value |
Value (USD) |
Blockchain |
ETH |
2.9583 |
$10,607.51 |
Ethereum |
DAI |
34,925.1834 |
$34,960.11 |
Ethereum |
SKL |
104,879.2193 |
$12,514.15 |
Ethereum |
WETH |
23 |
$82,416.61 |
Ethereum |
Total |
$140,498.38 |
Ethereum |
|
BNB |
64.2347 |
$37,246.27 |
Binance SC |
Total |
$37,246.27 |
Binance SC |
How the exploit was executed:
Mitigating Access Control Risks
Access control vulnerabilities pose substantial risks to organizations, leading to potential financial losses, data breaches, and reputational damage. Exploitation of these vulnerabilities can result in unauthorized access to sensitive resources, leading to data exfiltration, system compromise, and service disruptions. Therefore, meticulous configuration of access controls, adherence to principles like least privilege, and proactive identification and mitigation of vulnerabilities are imperative to an organization's security posture and avert the detrimental consequences of access control weaknesses.