Tapioca DAO Hacked for $4.7M in Social Engineering Attack, Offers $1M Bounty for Recovery

Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.

On October 18, decentralized finance protocol Tapioca DAO revealed it had suffered a social engineering attack resulting in the theft of $4.7 million.

The attack compromised the ownership of the vesting contract for its Tapioca DAO Token (TAP) and USDO stablecoin. The hacker managed to drain liquidity pools and claim vested TAP tokens.

Tapioca DAO Targeted in $4.7M Social Engineering Attack

Tapioca disclosed that the attacker stole 591 Ether and $2.8 million worth of USD Coin (USDC). The attacker’s sophisticated strategy included withdrawing nearly 30 million TAP tokens from the vesting contract.

These tokens were swapped for about $1.5 million worth of Ether, converted to Tether (USDT), and moved to the BNB Chain, where they remain.

Following the attack, co-founder Matt Marino disclosed more details in a Discord post. Marino explained that a fellow co-founder, pseudonymously known as “Rektora,” was the victim of phishing.

“Rektora downloaded something during an interview process,” Marino explained, adding that malicious software replaced a transaction and gave the attackers access to the contracts.

However, the team behind Tapioca was able to make some headway in recovering part of the funds.

Marino stated the protocol had “hacked the hacker” and managed to recover 1,000 ETH (worth around $2.7 million) used as collateral backing the USDO stablecoin for a liquidity pool.

In a move to recover the remaining stolen assets, Tapioca has made an unusual offer to the attacker as it promises to offer a $1 million bounty in USDT if the hacker returns the remaining $3.7 million.

Tapioca wrote in an on-chain message to the hacker’s wallet, “We would like to offer you an attractive bounty settlement where you would walk away with funds that are fully legally yours, no strings attached.”

Past Hacks and Broader Context

This incident is the latest in a series of hacks targeting DeFi protocols, with several projects facing social engineering attacks in recent years.

Recently, Radiant Capital suffered a hack where developers’ devices were compromised, leading to over $50 million in losses.

In May 2022, the Ronin Network, associated with the play-to-earn game Axie Infinity, suffered a $625 million loss at the hands of hackers.

The recurring nature of these attacks suggests that protocols must take more aggressive steps to protect their platforms. Recall that Immunefi raised the alarm on scams as crypto scams resulted in the loss of over $572 million in crypto assets in the second quarter (Q2) of 2024.

However, it remains to be seen whether the $1 million bounty will be enough to persuade the attacker to return the remaining funds.

About Jimmy Aki PRO INVESTOR

Based in the UK, Jimmy is an economic researcher with outstanding hands-on and heads-on experience in Macroeconomic finance analysis, forecasting and planning. He has honed his skills having worked cross-continental as a finance analyst, which gives him inter-cultural experience. He currently has a strong passion for regulation and macroeconomic trends as it allows him peek under the global bonnet to see how the world works.