Tapioca Foundation offers $1m bounty to attacker after $4.7m exploit

Following a $4.7 million attack on DeFi protocol Tapioca DAO, developers put a $1 million bounty on the attacker if they return the remaining funds.

On October 20, the Tapioca Foundation sent an on-chain message to the attacker’s connected wallet offering them a chance to legally “escape” the reward without any legal consequences if they choose to return the remaining funds to the protocol.

An on-chain message was sent to the attacker. Source: Arbiscan

The foundation offered $1 million USDT if the attacker returned the remaining $3.7 million to the protocol and gave until October 22 at 16:00 UTC to accept the offer.

At the time of this writing, the hacker has not responded to the bounty, but the protocol has suspended transactions and urged users not to interact with any Tapioca contracts.

What happened?

The DeFi protocol was targeted on October 18 after its pseudonymous co-founder “Rektora” fell victim to an alleged social engineering attack. These types of attacks rely on tricking victims into revealing sensitive information or misleading them into downloading malware or clicking on phishing links.

Tapioca DAO was subjected to a social engineering attack. This allowed the attacker to compromise the ownership of the TAP token vesting contract, which allowed the attacker to claim and sell these 30 million earned TAP impacting the LP owned by the TAP/ETH DAO. The attacker then also included:

— Tapioca Foundation (@tapioca_dao) 18 October 2024

According to Tapioca co-founder Matt Marino, Rektora was tricked into downloading some malware that allowed attackers to compromise ownership of the entitlement agreement for the protocol’s native TAP token.

This allowed them to withdraw 30 million earned TAP tokens; These tokens were worth around $1.40 at the time but are now worth $0.01 following the attack. Additionally, the attackers took control of the USDO stablecoin contract.

The attacker captured a total of approximately $4.4 million, including $2.8 million in USDC and $1.57 million in ETH withdrawn from the USDO/USDC liquidity pool. The stolen funds were quickly swapped into ETH, then USDT, and eventually bridged from Arbitrum to the BNB Chain, where they currently remain.

According to an October 19 update on the project’s Discord, Marion allegedly “hacked” the attacker and managed to recover 1,000 ETH.

Last year, DeFi lending protocol Euler Finance successfully recovered more than 58,000 ETH stolen in a flash credit attack. At the time, the protocol sent an on-chain message demanding the return of the funds and threatening to offer a $1 million reward for information leading to the identity of the attacker if the money was not returned.

However, not all reward offers lead to the recovery of stolen funds. For example, crypto exchange WazirX launched a $11.5 million bounty program after losing $234 million worth of various cryptocurrencies.

Despite the reward offer, the stolen funds could not be recovered as the attackers laundered significant loot through platforms such as Tornado Cash.