Real-world asset liquidity protocol Curio has fallen victim to a sophisticated governance exploit that siphoned approximately $16 million from its Ethereum-based smart contracts. The attack, which unfolded on March 25, 2024, highlights the persistent vulnerabilities lurking within decentralized autonomous organization governance mechanisms as the broader crypto market trades near all-time highs with Bitcoin hovering around $69,958.
The Exploit Mechanics
The attacker executed a voting power inflation scheme targeting a MakerDAO-forked smart contract deployed by Curio on Ethereum. By acquiring a relatively small number of Curio Governance Tokens (CGT), the attacker gained initial access to the protocol’s governance layer. From there, they exploited a critical flaw in the voting power privilege access control logic that allowed them to artificially inflate their governance weight far beyond what their token holdings warranted.
Web3 security firm Cyvers detected the exploit in real time and classified it as a permission access logic vulnerability. The attacker used their inflated voting power to execute a series of governance actions that ultimately granted them the ability to perform arbitrary operations within the Curio DAO contract. The most damaging of these actions was the unauthorized minting of 1 billion CGT tokens, which the attacker then used to drain approximately $16 million worth of digital assets from the protocol.
Affected Systems
The exploit was confined to Curio’s Ethereum deployment. The team confirmed that all contracts on Polkadot and the Curio Chain remained unaffected by the incident. The vulnerability specifically resided in the governance module of the smart contract, which was based on a forked version of MakerDAO’s architecture. While MakerDAO’s original implementation includes safeguards against voting power manipulation, the modifications made during the fork appear to have introduced the exploitable gap.
Crypto markets were trading strong at the time of the attack, with Ethereum priced at $3,590 and Solana at $189. The robust market conditions may have amplified the total value of losses, as the stolen assets were denominated in tokens that had appreciated significantly during the recent bull run.
The Mitigation Strategy
Curio responded swiftly to the exploit by publishing a detailed post-mortem on the same day the attack occurred. The team outlined a comprehensive compensation plan for affected users. All CGT holders will receive a new token called CGT 2.0, with the team promising to restore 100 percent of the value lost in the exploit. For liquidity providers, Curio established a structured compensation program consisting of four consecutive stages, each lasting 90 days. During each stage, affected liquidity providers will receive 25 percent of their losses paid in USDC and USDT stablecoins, meaning full compensation could take up to one year.
The protocol also announced a white hat bounty program, offering security researchers a reward equivalent to 10 percent of any recovered funds during the initial recovery phase. This approach mirrors strategies employed by other protocols that have suffered similar governance attacks, incentivizing the broader security community to assist in fund recovery.
Lessons Learned
The Curio exploit reinforces several critical security principles for DeFi protocols. First, governance mechanisms derived from established protocols require the same rigorous auditing as entirely new code. Forking MakerDAO’s governance without fully validating the modifications proved catastrophic. Second, voting power inflation attacks represent a class of vulnerability that can be particularly devastating because they exploit the very mechanisms designed to protect decentralized protocols. Protocols must implement strict bounds on voting power escalation and ensure that no single governance action can authorize unlimited token minting.
Third, the incident demonstrates the importance of real-time monitoring tools. Cyvers was able to detect the attack as it happened, which could have limited losses if automated circuit breakers had been in place. Protocols should consider implementing time-locked governance actions with built-in pause mechanisms that activate when unusual governance behavior is detected.
User Action Required
Curio users who held CGT tokens or provided liquidity to the protocol should monitor official Curio communication channels for updates on the CGT 2.0 token distribution and the liquidity provider compensation schedule. Users should be wary of phishing attempts posing as official compensation claims and should only interact with verified Curio domains. The broader DeFi community should use this incident as a reminder to evaluate the governance security of any protocol before committing significant capital.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any cryptocurrency protocol.
voting power inflation from a MakerDAO fork and $16M gone because nobody audited the permission logic. this is why i dont touch governance tokens from small teams
maker forks are notoriously tricky to modify safely. curio probably changed the access control without realizing the knock-on effects on voting weight
Maker forks require deep understanding of the voting weight mechanics before modifying anything. Curio clearly didnt have that expertise in house
MakerDAO fork with unaudited voting power logic. if you fork a $10B protocol you should probably audit the governance layer too
after Beanstalk flash loan governance attack youd think people would audit voting logic. same exploit vector different protocol 2 years later
Cyvers caught it in real time but the funds were already moving. detection without prevention is just watching your house burn down with a thermometer
Sergio Cyvers flagged it while it was happening. Curio team had time to respond but no circuit breaker to trigger. detection without action is pointless
detection without prevention is watching with a thermometer lmao perfect description. need circuit breakers not just alerts
Governance tokens from small teams carry this exact risk. The audit budget for a $16M protocol was probably a fraction of what Maker spends quarterly.