Coming soon

← Back to the graveyard
Curio logo

Curio

Hacked

DeFi · born 2021 · ✝ 2024

Inflated voting power let an attacker mint and drain ~$16M.

Curio was a real-world-asset DeFi protocol built on MakerDAO infrastructure. In 2024 an attacker exploited a flaw in its voting-power logic to gain governance control and mint tokens, draining roughly $16M.

Peak
~$16M stolen
Cause
Hacked
Year of death
2024

☠️ Cause of death

A bug in the governance contract let the attacker inflate their voting power, seize control, and mint tokens to drain liquidity.

📓 Lessons left behind

  • Governance contracts need timelocks and guardrails.
  • Voting power must be hard to acquire instantly.
  • On-chain governance is itself an attack surface.

🌱 The idea that survived

Hardened governance

Pushed for timelocks and flash-resistant voting power to prevent instant governance capture.

#defi#governance#voting-power#rwa