Highlights:
- Tapioca offers a $1 million bounty for the stolen $4.7 million.
- The platform described the incident as a ‘social engineering attack.’
- The firm transferred 1,000 ETH to a secure location to protect funds.
Tapioca DAO, a decentralized money market protocol on LayerZero, has proposed a $1 million bounty to the attacker who stole $4.7 million from its protocol. The platform described the incident as a ‘social engineering attack.’
The foundation communicated the offer via an on-chain message to the attacker’s crypto wallet on October 20. They suggested that the attacker could legally keep the $1 million bounty if they returned the remaining $3.7 million. The bounty is offered in Tether (USDT). It significantly exceeds the typical 10% usually provided in such cases.
Tapioca DAO Faces $4.5 Million Crypto Hack
Tapioca DAO experienced a security breach on October 18, resulting in its native TAP token losing over 90% of its value. The firm reported that the hacker employed social engineering tactics to trick a team member on Discord into lowering security measures.
The attacker compromised the token’s vesting contract. It led to the access and sale of 30 million vested TAP tokens, worth around $1.40 at the time but now valued at less than $0.04. The hacker also gained access to the USDO stablecoin contract.
In total, the attacker made off with approximately $4,405,600, which included $2.8 million in USDC and $1,575,606 in ETH taken from the USDO/USDC liquidity pair. The stolen funds were first swapped for ETH, then converted to USDT, and subsequently bridged from Arbitrum to the BNB Chain, where they currently remain.
Tapioca DAO has suffered a social engineering attack. This enabled the attacker to compromise the TAP token vesting contract’s ownership which allowed the attacker to claim and sell this 30M vested TAP, which impacted the TAP/ETH DAO owned LP. The attacker then also comprised the…
— Tapioca Foundation (@tapioca_dao) October 18, 2024
Tapioca DAO swiftly acted by transferring 1,000 ETH, valued at approximately $2.7 million, to a secure location — the DAO multisig. This measure aimed to safeguard funds and prevent additional losses. The firm advised users to refrain from interacting with any platform contracts until further notice. They encouraged users to revoke permissions and steer clear of scam links. Users were also advised to monitor their wallets closely and report any suspicious activities.
Tapioca is a decentralized money market protocol built on LayerZero, allowing users to borrow cryptocurrencies across multiple blockchains. It uses a stablecoin called USDO and Tapioca Omnichain Fungible Tokens (TOFTs) to transfer wrapped assets across networks.
Phishing Attack Targets Tapioca Co-Founder Rektora
Tapioca co-founder Matt Marino stated in an Oct. 19 Discord message that co-founder “Rektora” was phished. He explained that Rektora “downloaded something during an interview process.” This replaced a legitimate transaction with a malicious one, enabling the attackers to access the contracts.
North Korean Hackers Suspected in Tapioca DAO Hack
On-chain investigator ZachXBT suggested that the Tapioca DAO hack might be connected to malware downloaded by a team member. He noted that this exploit could be part of a broader trend of recent hacks targeting projects like Nexera, Concentric, Masa, SpaceCatch, Reach, Serenity Shield, and MurAll.
ZachXBT also highlighted that these attacks appear to be part of a larger scheme involving fake job scams, potentially linked to state-sponsored threat actors from North Korea. Currently, there is no clear evidence linking the Tapioca breach to North Korea.