The Tapioca Foundation has announced a $1 million bounty for the return of $4.7 million stolen from its decentralized finance protocol. The foundation proposed a bounty in Tether (USDT), significantly exceeding the typical 10% offered in similar cases, in exchange for the return of the remaining $3.7 million.
A few days ago, Tapioca revealed that it had “suffered a social engineering attack ,” in which the attacker made off with 591 Ether (ETH) and $2.8 million worth of USD Coin (USDC).
Tapioca Foundation pursues resolution with attacker after massive heist
In an on-chain message directed to the attacker’s crypto wallet on October 20, Tapioca stated:
We would like to offer you an attractive bounty settlement, allowing you to retain funds that are fully legally yours, with no strings attached.
– Tapioca
The foundation explained that the attack compromised the ownership of the vesting contract for its Tapioca DAO Token (TAP) and the USDO stablecoin. As a result, the attacker was able to claim and sell vested TAP tokens and added a minter, enabling them to infinitely mint USDO and drain a liquidity pool for both USDO and USDC.
Tapioca DAO introduced the TAP token in June. The protocol allows users to lend and borrow crypto assets across various interconnected blockchains and leverage their holdings using USDO, a new stablecoin.
See also 'Coinbase Pro' fraudster gets five year prison sentence for $20M theft
Tapioca co-founder reveal details of phishing incident
Tapioca co-founder Matt Marino shared on Discord on October 19 that a fellow pseudonymous co-founder, known as “Rektora,” had been phished.
Marino said the incident began when Rektora was contacted about a friend being hired by another company, a situation that lowered his guard. Marino revealed that Rektora “downloaded something during an interview process,” which replaced a legitimate transaction with a malicious one, allowing the attackers to access the contracts.
In a subsequent Discord post, Marino claimed they had “hacked the hacker” and recovered 1,000 ETH, valued at over $2.7 million, which served as collateral backing the USDO stablecoin for a liquidity pool.
Following the October 18 attack, the perpetrator withdrew nearly 30 million TAP tokens from the vesting contract, converted them into about $1.5 million worth of ETH, exchanged that for USDT, and transferred the funds to the BNB Chain, where they remain, as indicated by transactions in the attacker’s wallet.
The incident has drastically impacted the TAP token, which has effectively lost all its value, plummeting from around $1.40 before the attack to just 2 cents, according to CoinGecko.