Curio (CurioDAO): Voting power privilege escalation via MakerDAO fork governance bug → mass CGT token minting
Curio lost $16M when an attacker acquired a handful of CGT governance tokens and exploited a voting power flaw in its MakerDAO fork to gain full governance control, mint unlimited tokens, and drain the protocol.
Summary #
Curio (CurioDAO) suffered a Real-World Asset (RWA) tokenization / DAO governance on 2024-03-23, resulting in a loss of approximately $16M.
What happened #
Curio lost $16M when an attacker acquired a handful of CGT governance tokens and exploited a voting power flaw in its MakerDAO fork to gain full governance control, mint unlimited tokens, and drain the protocol.
Linked factors #
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: YES** — MakerDAO governance fork (IDSChief, IDSPause)]
- RD-F-132 — causal : Fork has different economic parameters than upstream (audit gap) [via cross-hack: Factor 17: Governance Fork Without Independent Parameter Audit]