Tapioca DAO Hacked for $4.7M in Social Engineering Attack, Offers $1M Bounty for Recovery
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
On October 18, decentralized finance protocol Tapioca DAO revealed it had suffered a social engineering attack resulting in the theft of $4.7 million.
The attack compromised the ownership of the vesting contract for its Tapioca DAO Token (TAP) and USDO stablecoin. The hacker managed to drain liquidity pools and claim vested TAP tokens.
Tapioca DAO Targeted in $4.7M Social Engineering Attack
Tapioca disclosed that the attacker stole 591 Ether and $2.8 million worth of USD Coin (USDC). The attacker’s sophisticated strategy included withdrawing nearly 30 million TAP tokens from the vesting contract.
Tapioca DAO has suffered a social engineering attack. This enabled the attacker to compromise the TAP token vesting contract’s ownership which allowed the attacker to claim and sell this 30M vested TAP, which impacted the TAP/ETH DAO owned LP. The attacker then also comprised the…
— Tapioca Foundation (@tapioca_dao) October 18, 2024
These tokens were swapped for about $1.5 million worth of Ether, converted to Tether (USDT), and moved to the BNB Chain, where they remain.
Following the attack, co-founder Matt Marino disclosed more details in a Discord post. Marino explained that a fellow co-founder, pseudonymously known as “Rektora,” was the victim of phishing.
“Rektora downloaded something during an interview process,” Marino explained, adding that malicious software replaced a transaction and gave the attackers access to the contracts.
However, the team behind Tapioca was able to make some headway in recovering part of the funds.
Marino stated the protocol had “hacked the hacker” and managed to recover 1,000 ETH (worth around $2.7 million) used as collateral backing the USDO stablecoin for a liquidity pool.
In a move to recover the remaining stolen assets, Tapioca has made an unusual offer to the attacker as it promises to offer a $1 million bounty in USDT if the hacker returns the remaining $3.7 million.
Tapioca wrote in an on-chain message to the hacker’s wallet, “We would like to offer you an attractive bounty settlement where you would walk away with funds that are fully legally yours, no strings attached.”
Past Hacks and Broader Context
This incident is the latest in a series of hacks targeting DeFi protocols, with several projects facing social engineering attacks in recent years.
Recently, Radiant Capital suffered a hack where developers’ devices were compromised, leading to over $50 million in losses.
Radiant Capital lending market was hacked and users lost over $50 mil after their wallets were drained.
Only connect to reputable protocols and revoke access once you're done. Otherwise you're at risk.
Hacker got control over 3 out of 11 multisig wallets. Why 3 was enough? pic.twitter.com/qZ2oTkt3FY
— Duo Nine ⚡ YCC (@DU09BTC) October 17, 2024
In May 2022, the Ronin Network, associated with the play-to-earn game Axie Infinity, suffered a $625 million loss at the hands of hackers.
The recurring nature of these attacks suggests that protocols must take more aggressive steps to protect their platforms. Recall that Immunefi raised the alarm on scams as crypto scams resulted in the loss of over $572 million in crypto assets in the second quarter (Q2) of 2024.
However, it remains to be seen whether the $1 million bounty will be enough to persuade the attacker to return the remaining funds.