CurioDAO Governance Exploit Exposes Access Control Flaws in MakerDAO Fork With 1 Billion Token Mint

The decentralized finance protocol CurioDAO suffered a critical security breach on March 23, 2024, when an attacker exploited a voting power privilege access control vulnerability in a MakerDAO-based smart contract. The exploit enabled the unauthorized minting of 1 billion Curio Governance (CGT) tokens, exposing fundamental weaknesses in permissioned access logic that governs decentralized autonomous organizations.

The attack targeted the Ethereum side of the Curio ecosystem, a multichain platform focused on real-world asset tokenization. With Bitcoin trading at approximately $64,062 and Ethereum at $3,336 at the time, the incident underscored how even established DeFi protocols remain vulnerable to sophisticated governance attacks.

The Exploit Mechanics

According to blockchain security firm Cyvers Alerts, the attack unfolded in a series of carefully orchestrated steps. The attacker first created a malicious smart contract designed to interact with CurioDAO’s governance infrastructure. They then acquired a small number of CGT tokens, which granted initial access to the project’s smart contract system.

The critical vulnerability lay in the voting power privilege access control mechanism. By manipulating this flaw, the attacker was able to artificially inflate their voting power within the Curio DAO beyond what their actual token holdings warranted. This elevated governance status then enabled the attacker to execute the unauthorized minting of 1 billion additional CGT tokens.

Merkle Science’s flow of funds analysis revealed the granular financial impact. On Ethereum, the attacker extracted approximately 2.96 ETH worth $10,607, 34,925 DAI worth $34,960, 104,879 SKL tokens worth $12,514, and 23 WETH worth $82,416. On the Binance Smart Chain, the attacker seized 64.23 BNB worth $37,246. The total immediate losses reached approximately $177,744 across both chains.

Affected Systems

The exploit specifically targeted the MakerDAO-based smart contracts deployed on the Ethereum side of the Curio ecosystem. CurioDAO operates as a multichain platform that provides infrastructure services for real-world asset tokenization, offering liquidity mechanisms through stablecoins, a launchpad, and automated market makers.

The Curio team quickly clarified that only the Ethereum-side contracts were affected. The Polkadot-side contracts and Curio Chain contracts remained secure, a distinction that highlighted both the resilience of multichain architectures and the risks of cross-chain dependencies. The governance token CGT serves as the primary decision-making instrument for the Curio Creator Protocol, making any compromise of its minting authority a systemic threat to the entire ecosystem.

The Mitigation Strategy

Following the discovery, the Curio team issued an immediate community alert confirming the exploit and identifying the affected scope. The developers emphasized that the multichain infrastructure limited the blast radius of the attack, preventing contagion across all deployed chains.

Security analysts from Cyvers Alerts and Merkle Science conducted rapid on-chain forensics. Their analysis traced the attacker’s wallet address on Etherscan, where the 1 billion newly minted CGT tokens remained idle at the time of reporting. The tokens were theoretically valued at $39.7 million, though the actual liquidity to realize this value was severely limited by the relatively thin order books for CGT.

The broader context amplified concerns. According to Immunefi research, the first quarter of 2024 saw over $200 million stolen across 32 incidents in the crypto sector, a 15% increase from the same period in 2023. February alone recorded $67 million in losses, with all 12 notable incidents targeting the DeFi sector.

Lessons Learned

The CurioDAO exploit reinforces several critical security principles for DeFi protocols. First, access control logic in governance smart contracts demands the same rigorous auditing as financial logic. The voting power manipulation vector is not new, yet it continues to succeed against protocols that treat governance as a secondary concern.

Second, MakerDAO forks inherit not only the strengths but also the potential vulnerabilities of the original codebase. Teams deploying forked contracts must conduct independent security audits rather than relying on the assumption that battle-tested upstream code guarantees safety in a new deployment context.

Third, the principle of least privilege must be enforced at the smart contract level. Governance mechanisms that allow token holders to accumulate disproportionate voting power without corresponding economic commitments create systemic risks that attackers can exploit for minimal investment.

User Action Required

Users who interacted with CurioDAO contracts on Ethereum should monitor the official Curio communication channels for the announced compensation plan. Those holding CGT tokens should exercise extreme caution, as the unauthorized minting has fundamentally altered the token’s supply dynamics. All DeFi participants should review their exposure to protocols that utilize MakerDAO-based governance frameworks and verify whether similar access control vulnerabilities might exist in those deployments.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.