Curio, a DeFi project known for its role in tokenising real-world assets, was targeted in a sophisticated exploit against its DAO smart contract, which is based on a fork of MakerDAO, leading to a $16 million loss. The cause of the incident was traced back to a vulnerability in its smart contract governance system, which was manipulated to mint and steal funds.
<h3 id="heading-behind-the-breach">Behind the Breach</h3>
The exploit was executed through a governance attack, where the attacker exploited a vulnerability in the voting system to acquire undue control over the DAO's assets. This manipulation enabled the unauthorised minting of tokens. The attacker employed a complex strategy involving flash loans—a form of uncollateralised borrowing popular in DeFi—and cross-chain transfers to execute the theft and obscure their tracks, ultimately draining $16 million from CurioDAO.
<hr />
Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit <a target="_blank" href="https://rivanorth.com/"><a href="https://rivanorth.com/" class="autolinkedURL autolinkedURL-url" target="_blank">rivanorth.com</a></a> to find out more.
You build the future. We help you secure it.

Curio, a DeFi project known for its role in tokenising real-world assets, was targeted in a sophisticated exploit against its DAO smart contract, which is based on a fork of MakerDAO, leading to a $16 million loss. The cause of the incident was traced back to a vulnerability in its smart contract governance system, which was manipulated to mint and steal funds.

### **Behind the Breach**

The exploit was executed through a governance attack, where the attacker exploited a vulnerability in the voting system to acquire undue control over the DAO's assets. This manipulation enabled the unauthorised minting of tokens. The attacker employed a complex strategy involving flash loans—a form of uncollateralised borrowing popular in DeFi—and cross-chain transfers to execute the theft and obscure their tracks, ultimately draining $16 million from CurioDAO.

---

Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit [**https://rivanorth.com/**](https://rivanorth.com/) to find out more.

You build the **future**. We help you **secure** it.

Hack Explained - Curio

As a leading cybersecurity company, we specialise in securing emerging tech with research based state of the art security services.
You build the future. We help you secure it.
