The Tapioca Foundation has announced a generous reward of $1 million for the individual responsible for a “social engineering attack” that resulted in the theft of $4.7 million from its decentralized finance protocol. In an onchain message sent to the attacker’s crypto wallet on October 20th, Tapioca expressed its willingness to offer a substantial settlement without any obligations. The foundation proposed providing $1 million in Tether (USDT), a significantly higher amount compared to the typical 10% offered in bounties, in exchange for the return of the remaining $3.7 million.
Tapioca revealed in an October 18th post that it had fallen victim to a social engineering attack, resulting in the theft of 591 Ether (ETH) and $2.8 million worth of USD Coin (USDC). The attack compromised the ownership of the vesting contract for Tapioca DAO Token (TAP) and the USDO stablecoin. The attacker successfully claimed and sold vested TAP, while also adding a minter to infinitely mint USDO and drain a liquidity pool for USDO and USDC.
Co-founder of Tapioca, Matt Marino, disclosed in a message on the project’s Discord on October 19th that fellow co-founder “Rektora” had been phished during an interview process. Marino explained that Rektora had unknowingly downloaded malicious software, which replaced a transaction with a malicious one, granting the attackers access to the contracts. Later on Discord, Marino stated that they had managed to “hack the hacker” and recover 1,000 ETH, valued at over $2.7 million, which served as collateral for the USDO stablecoin in a liquidity pool.
During the October 18th attack, the perpetrator withdrew nearly 30 million TAP tokens from the vesting contract, exchanged them for approximately $1.5 million worth of ETH, converted the ETH into USDT, and transferred the funds to the BNB Chain. These transactions can still be traced in the attacker’s wallet. As a result of the attack, the TAP token has experienced a significant decrease in value, currently trading at 2 cents compared to its previous value of around $1.40, as reported by CoinGecko.
In other news, a fake Rabby Wallet scam has been linked to a crypto CEO in Dubai and numerous other victims.