In March 2024, the Curio DeFi protocol — which specializes in tokenized real world assets (RWAs) — suffered a $16 million hack. The attacker took advantage of an access control error in the protocol’s MakerDAO smart contracts, enabling them to perform a malicious mint.
Inside the Attack
The Curio hack was made possible by a vulnerability in the project’s DAO voting system. By acquiring a relatively small number of CGT tokens, the attacker was able to grant themselves elevated voting privileges within the smart contract.
With this greater voting power, the attacker could execute the smart contract’s plot function, which defined a malicious smart contract as the project’s exec library. The smart contract allowed delegatecalls to this malicious exec library, enabling various malicious effects.
A delegatecall allows another smart contract to perform actions with the identity, privileges, and storage of the calling smart contract. With delegatecalls from Curio’s smart contract to the malicious one, the attacker was able to mint approximately 1 billion $CGT tokens.
With many minted tokens on a single blockchain, there was the chance that an attacker would not be able to cash out if tokens were frozen on exchanges. To help cover their tracks, the attacker engaged in a set of token swaps and cross-chain transfers after the attack in an attempt to obfuscate the source of the tokens and make them more difficult to freeze.
The Curio team rapidly reported the attack and developed a remediation and compensation plan for addressing it. This included launching a new CGT 2.0 token and closing the vulnerabilities exploited by the attacker.
Lessons Learned from the Attack
The Curio DAO hack was made possible by a vulnerability in the protocol’s voting and governance system. An attacker was able to exploit this error to give themselves outsized power over the system and deploy a malicious smart contract as a trusted part of the Curio ecosystem. From there, a delegatecall to the malicious smart contract enabled the massive token mint.
The Curio hack demonstrates the importance of smart contract audits for DeFi project security. The logical errors behind the DAO governance exploit may have been detected and corrected by a business logic assessment without a costly hack. However, the Curio project relied on internal security audits and smart contract development best practices to ensure the security of its projects. To learn more about protecting your crypto project via a smart contract audit, get in touch with Halborn.