The Tapioca Foundation has issued a $1 million bounty to the hacker responsible for stealing $4.7 million from its DeFi protocol in what has been described as a sophisticated social engineering attack.
The offer, made through an on-chain message on October 20, proposes allowing the attacker to legally retain $1 million in Tether (USDT) if they return the remaining $3.7 million. Tapioca noted that the proposed bounty is unusually generous, surpassing the typical 10% reward seen in similar cases.
The breach, which occurred on October 18, resulted in the theft of 591 Ethereum (ETH) and $2.8 million in USD Coin (USDC). The attacker exploited a vulnerability in the vesting contract of the Tapioca DAO Token (TAP) and its UDSO stablecoin. After initially selling vested TAP tokens, the attacker manipulated the contract to mint unlimited USDO tokens, using them to drain liquidity pools containing USDO and USDC.
Matt Marino, one of Tapioca’s co-founders, revealed on Discord that his co-founder, known as Rektora, fell victim to a phishing attack. During an interview process, Rektora downloaded malicious software, which allowed the hacker to replace a legitimate transaction and seize control of the contract.
Following the breach, Tapioca managed to recover 1,000 ETH (worth $2.7 million) by counter-hacking the attacker. These funds were then used to collateralize the USDO stablecoin.
Despite this partial recovery, the attacker still holds a significant portion of the stolen assets. Almost 30 million TAP tokens were taken from the vesting contract and swapped for approximately $1.5 million in ETH. The attacker converted these funds into USDT and transferred them to the BNB Chain, where they remain.
The attack devastated TAP’s market value, which plunged from $1.40 to just $0.02, wiping out most of its worth.
The frequency of exploits and hacks seems to be growing unabated, revealing the concerning vulnerability of crypto platforms. Over $120 million was reportedly lost to more than 20 hacks in September 2024 alone. Exchanges such as BingX, Penpie, and Indodaz were severely affected, highlighting the urgent need for improved security measures.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”