Hack Explained - Curio

Hack Explained - Curio


1 min read

Curio, a DeFi project known for its role in tokenising real-world assets, was targeted in a sophisticated exploit against its DAO smart contract, which is based on a fork of MakerDAO, leading to a $16 million loss. The cause of the incident was traced back to a vulnerability in its smart contract governance system, which was manipulated to mint and steal funds.

Behind the Breach

The exploit was executed through a governance attack, where the attacker exploited a vulnerability in the voting system to acquire undue control over the DAO's assets. This manipulation enabled the unauthorised minting of tokens. The attacker employed a complex strategy involving flash loans—a form of uncollateralised borrowing popular in DeFi—and cross-chain transfers to execute the theft and obscure their tracks, ultimately draining $16 million from CurioDAO.

Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.