Tapioca Foundation offers $1m bounty to attacker after $4.7m exploit

As an analyst with extensive experience in the crypto space, I must say that the situation with Tapioca DAO is both fascinating and concerning at the same time. The rapid evolution of DeFi protocols and their vulnerabilities to social engineering attacks is a stark reminder of the Wild West nature of this industry.


Following the $4.7 million hack on DeFi protocol Tapioca DAO, the developers are offering a reward of $1 million to the perpetrator if they choose to return the leftover funds.

On October 20th, the Tapioca Foundation extended an offer via blockchain communication to the suspect’s wallet. This offer provided them a legitimate opportunity to claim the reward, free from any legal consequences, should they decide to restore the remaining funds back into the system.

Tapioca Foundation offers $1m bounty to attacker after $4.7m exploit

The organization is providing a reward of one million USDT dollars, on the condition that the hacker restores the remaining 3.7 million back to the system. This offer stands until October 22nd, at 4 pm UTC.

As I write this, the hacker has yet to acknowledge the bounty offer, and in response, the protocol has temporarily halted its activities. Users are advised to avoid all interactions with any Tapioca contracts for now.

What happened?

On October 18, the DeFi protocol became a target after its anonymous co-creator “Rektora” was apparently tricked in a social engineering scam. These types of attacks manipulate victims into disclosing confidential details or downloading harmful software, or clicking on fraudulent emails (phishing).

The Decentralized Autonomous Organization (DAO) of Tapioca has fallen victim to a sophisticated attack involving social engineering. This trickery enabled the hacker to seize control over the ownership of the TAP token vesting contract. As a result, the hacker was able to claim and sell approximately 30 million vested TAP tokens, thereby affecting the LP (Liquidity Pool) that the DAO holds in TAP/ETH. The attacker further exploited…

— Tapioca Foundation (@tapioca_dao) October 18, 2024

As stated by Matt Marino, one of the founders of Tapioca, it appears that Rektora unknowingly downloaded harmful software, leading to a situation where attackers could take control of the ownership rights for the TAP token’s governing contract within the protocol.

As a result of this, they successfully retrieved 30 million locked-in TAP tokens, which were approximately worth $1.40 each initially but are now valued at just $0.01 due to the exploit. Furthermore, the perpetrators also managed to seize control over the USDO stablecoin agreement.

All told, the culprit successfully stole around 4.4 million dollars, with 2.8 million of that being USDC and an additional 1.57 million in ETH. This amount was withdrawn from the USDO/USDC liquidity pool. The pilfered funds were promptly exchanged for ETH, followed by USDT, and ultimately moved from Arbitrum to the BNB Chain, where they are still located at present.

According to a recent update on the project’s Discord channel posted on October 19th, it is said that Marion was able to successfully hack into the attacker and recoup approximately 1,000 Ether.

Previously, Euler Finance, a decentralized finance lending platform, managed to recover more than 58,000 ETH that had been stolen in a flash loan incident. To reclaim the stolen assets, the protocol broadcasted a message on the blockchain asking for the funds to be returned, and warned that it would provide a $1 million incentive for any information leading to the identification of the perpetrator if the funds were not returned.

While not every reward offer results in the return of stolen assets, take for example the case of the crypto exchange WazirX. They initiated a reward program valued at $11.5 million following their loss of approximately $234 million worth of assorted cryptocurrencies.

Even though a reward was given for their return, the stolen funds have not been recovered yet; instead, the perpetrators successfully laundered a substantial portion of the ill-gotten gains using services such as Tornado Cash.

Read More

Sorry. No data so far.

2024-10-21 13:42