Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 184Governance Attack

Curio Voting-Power Mint

Attacker bought a nominal CGT stake, exploited a MakerDAO-fork flaw to amplify voting power, then minted 1B CGT (~$16M) on Curio Governance.

Date
Victim
Curio
Chain(s)
Ethereum
Status
Funds Stolen

On March 23, 2024, the tokenised-RWA protocol CurioDAO was exploited for approximately $16 million — minted as 1 billion CGT (Curio Governance Token) tokens to the attacker. The vulnerability was in a MakerDAO-fork smart contract responsible for voting-power management; the attacker bought a small CGT position, used a bug to amplify their voting power dramatically, and used the inflated voting power to vote in arbitrary contract actions including the malicious mint.

What happened

CurioDAO's governance was built on a MakerDAO-derived smart contract for managing voting power and proposal execution. The fork had inherited a vulnerability in how delegated voting power was calculated: under specific call sequences, a small CGT holder could exploit the calculation to claim voting power far greater than their actual CGT balance.

The attack:

  1. The attacker acquired a nominal quantity of CGT through normal market purchases.
  2. Exploited the voting-power calculation to register themselves as holding amplified voting power — effectively a majority position in CurioDAO governance.
  3. With majority voting power, executed arbitrary actions on the Curio DAO contract — including a proposal to mint 1 billion CGT tokens directly to the attacker's address.
  4. The mint executed; the attacker held 1B CGT worth nominally ~$16M at pre-attack market prices.
  5. Dumped the CGT through DEX liquidity, extracting real value before the market priced in the dilution.

Aftermath

  • CurioDAO paused affected contracts and announced a recovery strategy.
  • The team launched CGT 2.0 — a new token issued to legitimate pre-attack CGT holders, effectively voiding the attacker's minted supply.
  • A white-hat bounty program was announced offering 10% of recovered funds to anyone helping trace the attacker.
  • Stolen funds were laundered through standard channels.

Why it matters

Curio is one of several incidents that highlight the inheritance problem of forking battle-tested governance systems. MakerDAO's governance contracts have been deployed and tested at the largest scale of any DAO; their behaviour at MakerDAO is well-understood. Forks that modify the surrounding token-distribution and voting-weight logic without re-auditing inherit any composite vulnerability the modifications introduce.

The pattern repeats:

  • Audius (Jul 2022) — re-invokable initializer let attacker self-delegate 10 trillion AUDIO.
  • Beanstalk (Apr 2022) — flash-loan-acquired governance majority.
  • Curio (Mar 2024) — bug in voting-power calculation amplified small balance to majority.

The defensive answers — time-weighted voting power, token-lockup before voting eligibility, timelocks between proposal pass and execution, emergency multi-sig veto — exist in the modern DAO governance toolkit and are increasingly standard. Forks that ship without them remain exploit candidates.

The CGT 2.0 reissuance as a recovery mechanism is also notable: this approach works only for small-cap tokens with controllable token distribution. It is essentially the "we are voting to undo this on-chain" approach to immutability, and it works when the protocol's holders + counterparties agree to recognise the new token.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-curio-hack-march-2024
  2. [02]cryptonews.comhttps://cryptonews.com/news/curio-hit-by-16-million-exploit-due-to-voting-power-vulnerability/
  3. [03]cryptotimes.iohttps://www.cryptotimes.io/2024/03/26/curio-strikes-back-with-cgt-2-0-following-16-million-exploit/

Related filings