CurioDAO Q1 2024 Exploit Recovery Strategy

CurioDAO Ecosystem
8 min readMar 25, 2024

--

On March 23, 2024, CurioDAO Association announced its voting protocol experienced an exploit involving a smart contract based on MakerDAO’s fork.

The exploit appears to stem from a permission access logic vulnerability. The attacker leveraged this vulnerability to mint an additional ~1B $CGT.

The exploit was conducted by an party, with the associated hacker address identified as 0xdaAa6294C47b5743BDafe0613d1926eE27ae8cf5.

Despite the incident within the CurioDAO, that the impact was confined to the Ethereum Virtual Machine (EVM) side of Curio’s technology stack. Notably, Curio Chain, which is built on Polkadot’s framework, remained unaffected by the exploit. Additionally, the Real-World Asset (RWA) mechanism, a cornerstone of CurioInvest’s platform, remained resilient and secure throughout the incident.

Root Cause Analysis:

As per Ancilla, the primary vulnerability exploited in the Curio DAO was a flaw in the voting power privilege access control. The attacker leveraged this vulnerability by acquiring a small number of CGT tokens, thereby gaining access to elevate their voting power within the project’s contract. This elevated voting power allowed the attacker to execute the ‘plot’ function, approving a malicious contract which acted as an ‘exec’ library. Through a delegatecall to this malicious library, the attacker was able to execute arbitrary actions within the Curio DAO contract, ultimately resulting in the unauthorized minting of ~1 Billion $CGT tokens.

Key Points:

  • Flaw in voting power privilege access control exploited by attacker.
  • Small number of CGT tokens used to elevate voting power.
  • Malicious contract approved via ‘plot’ function, acting as ‘exec’ library.
  • Delegatecall to malicious library enabled arbitrary actions, including token minting.

The malicious action of the exploit has affected CGT and liquidity pools (Capital DEX, Uniswap, PancakeSwap) on the following EVM networks supported by Curio DAO:

  • Ethereum: ~$113k losses
  • - Binance Smart Chain: ~$38k losses
  • - SKALE chain: ~$28k losses
  • - Boba network: ~$1k losses
  • Curio Chain with Curio Chain CGT and liquidity pool are secure and have not been subjected to the actions of the exploit.

Compensation Plan:

All funds obtained through the exploitation will be restored in 2 stages.

  1. The Curio team will release a new token CGT 2.0 instead of the current CGT token that is susceptible to exploit attacks. 100% of funds in CGT tokens will be restored for CGT holders, including liquidity providers, as well as users of centralized exchanges. CGT will be restored on Ethereum and other networks supported by the CurioDAO ecosystem: Binance Smart Chain, SKALE chain, and Boba network. The CGT relaunch process is planned to be carried out within 2 weeks starting from now.

2. Next, for liquidity providers, a funds compensation program related to the second token in the liquidity pools will be launched. The compensation program will consist of 4 consecutive stages, each lasting for 90 days. During each stage: compensation will be paid in USDC/USDT, amounting to 25% of the losses incurred by the second token in the liquidity pools. The compensation program will be conducted for all liquidity pools on all networks supported by the CurioDAO ecosystem (Binance Smart Chain, SKALE chain, Boba network) that have been affected by the exploit. In this way, it is planned to pay all compensations within one year.

Also, an airdrop of CGT 2.0 tokens will be conducted amounting to 10% of the CurioDAO Treasury as a bonus for all customers.

Recovery Plan:

As per the recovery plan outlined on March 24, 2024, the following steps will be taken:

Timeline: 2 Weeks

Immediate Actions:

Emergency Halting: Immediately halt all operations within the Curio DAO to prevent further exploitation or damage.

Communication: Transparently communicate the incident and ongoing recovery efforts to all stakeholders, including token holders, investors, and partners.

Forensic Analysis: Conduct a comprehensive forensic analysis to identify the extent of the exploit, trace the flow of unauthorized tokens, and assess the overall impact on the Curio ecosystem.

Short-Term Actions:

Patch Deployment: Develop and deploy a patch to address the identified vulnerability in the voting power privilege access control. This patch will undergo rigorous testing to ensure its effectiveness in mitigating similar exploits in the future.

CGT 2.0 Launch: Perform the launch of a new CGT 2.0 token and distribute CGT 2.0 based on the snapshot before the exploit implementation, thereby restoring the integrity of the Curio token economy and mitigating any potential market impacts.

Smart Contract Upgrade: Implement upgrades to the Curio DAO smart contract to enhance security measures and prevent similar exploits from occurring in the future. This includes implementing stricter access controls, code auditing, and additional layers of security validation.

Long-Term Actions:

Security Audits: Engage additional reputable third-party security firms to conduct regular security audits and penetration testing on the Curio DAO smart contracts and infrastructure. These audits will help identify and remediate any potential vulnerabilities proactively.

Community Engagement: Foster a culture of transparency, accountability, and community involvement within the Curio ecosystem. Regular updates, governance discussions, and community feedback mechanisms will be established to ensure ongoing collaboration and alignment of interests.

Education and Training: Provide education and training programs for developers, stakeholders, and community members to raise awareness about best practices in smart contract security, risk management, and incident response protocols.

The exploitation incident within the Curio DAO represents a critical challenge to the integrity and trustworthiness of the platform. However, through a swift and comprehensive recovery plan, including immediate actions to halt the exploit, short-term measures to address the vulnerability, and long-term initiatives to enhance security and governance practices, Curio aims to emerge stronger and more resilient than before.

Resilience of Curio Chain:

The Curio Chain, leveraging the robust infrastructure provided by Polkadot, demonstrated its resilience against the exploit that targeted the Ethereum network.

  • Built on a decentralized and interoperable framework, Curio Chain’s architecture minimizes the risk of single points of failure and enhances the overall security posture of the platform.
  • The exploit’s confinement to the EVM side underscores the importance of diversifying technological dependencies and adopting a multi-chain approach to mitigate risks associated with specific blockchain ecosystems.

Security of RWA Mechanism:

  • The Real-World Asset (RWA) mechanism, a fundamental component of Curio’s platform, remained secure and unaffected by the exploit.
  • Designed to tokenize real-world assets and facilitate their seamless integration into decentralized finance (DeFi) ecosystems, the RWA mechanism operates independently of the vulnerabilities exploited within the Curio DAO’s smart contracts.
  • The incident highlights the robustness of Curio’s own team’s development efforts in ensuring the security and integrity of the RWA mechanism, which continues to provide value and stability to the Curio ecosystem.

Benefits of Own Team’s Development:

  • Curio’s commitment to in-house development and continuous improvement of its technology stack has proven instrumental in mitigating the impact of the exploit and safeguarding the integrity of its platform.
  • By relying on internal expertise and leveraging best practices in smart contract development and security auditing, Curio has cultivated a resilient and secure ecosystem capable of withstanding external threats.
  • The incident underscores the importance of proactive risk management, rigorous testing, and ongoing collaboration within the development team to identify and address potential vulnerabilities before they can be exploited.
  • The limited impact on Curio Chain and the resilience of the RWA mechanism highlight the effectiveness of Curio’s approach to technology development and risk management. By leveraging the strengths of its own team’s expertise and adopting a diversified technological strategy, Curio remains well-positioned to navigate challenges and continue delivering value to its users and stakeholders.

Reward for White Hat Hacker:

In recognition of the invaluable contribution made by white hat hackers towards the identification and mitigation of security vulnerabilities within the Curio DAO, the following reward mechanism will be implemented:

Reward Structure:

  • First Week: White hat hacker who proactively report security vulnerabilities to the Curio team within the first week following the exploitation incident will be eligible to receive a reward equivalent to 10% of the proceeds recovered during the initial recovery phase.
  • First Month (Until May 25): For reports submitted within the first month following the incident, white hat hackers will be entitled to a reward equivalent to 5% of the proceeds recovered during the extended recovery period.

Verification Process:

  • White hat hackers must provide detailed information regarding the identified vulnerabilities, including proof-of-concept code, vulnerability assessment reports, and any additional evidence necessary to validate the severity and impact of the reported issues.
  • The Curio security team will conduct thorough assessments of the reported vulnerabilities to verify their authenticity and severity.
  • Rewards will be distributed based on the severity and impact of the reported vulnerabilities, as determined by the Curio security team.

Legal Action Alternatives:

In the event that the exploitation incident leads to significant financial losses or damages, Curio reserves the right to pursue legal action against malicious actors responsible for the exploit. Legal action may include but is not limited to:

  • Civil litigation to recover damages incurred as a result of the exploit.
  • Collaboration with law enforcement agencies to investigate and prosecute malicious actors involved in the exploitation incident.
  • Pursuing regulatory or compliance measures to enforce accountability and deter future malicious activities within the Curio ecosystem.

Transparency and Accountability:

Curio is committed to transparency and accountability throughout the reward distribution process. Regular updates will be provided to the community regarding the status of the reward program, including the total proceeds recovered, the number of vulnerabilities reported, and the corresponding rewards distributed to white hat hackers.

By incentivizing responsible disclosure and collaboration with white hat hackers, Curio aims to strengthen its security posture, mitigate future risks, and foster a culture of trust and transparency within the Curio ecosystem.

Disclaimer

This document is provided by CurioDAO Association, collectively referred to as “Curio Ecosystem”. The content herein is formulated by marketing personnel and does not stem from our Research Department. It is not meant to advise or inform investment strategies. The views expressed may not align with those of other divisions, including our Research Department. It is the responsibility of the recipient to make independent investment decisions. This document should not be seen as a substitute for personal judgment. Before engaging in any transaction, you should seek advice from legal, regulatory, tax, financial, and accounting advisors as necessary.

The information in this document is based on sources we believe to be reliable. However, we do not claim it to be accurate, complete, or a comprehensive summary of the Instruments or markets mentioned. The information is current as of the date of this document and is subject to change without notice. We are not obligated to update this material. Any prices or quotes are indicative and not meant for valuation purposes. Past performance does not guarantee future results.

To the extent permitted by law, Curio is not liable for any loss arising from the use of this information. Redistribution or reproduction of this material is strictly prohibited without our consent. We are not liable for actions of third parties in this respect.

The scenario analyses in this material are based on internal methodologies. They are illustrative, hypothetical, and subject to change. They do not predict actual results, which may significantly differ. The methodologies used are not the only possible approaches, and we make no warranties as to their accuracy or fitness for any particular purpose.

This document is a work in progress and may be revised. Changes are made to enhance the narrative quality and coherence. We appreciate your understanding as we refine our content.

This content is informational and not a substitute for professional advice in legal, business, investment, or tax matters. Consult your own advisers regarding these issues. References to digital assets are illustrative and are not investment recommendations or offers to provide investment advisory services. This content is not intended for investors or prospective investors and should not be relied upon for investment decisions.

--

--

CurioDAO Ecosystem

CurioDAO accelerates real asset tokenization through community-powered tools, fostering research and development with CGT tokens for governance.