Tapioca Foundation Offers $1 Million Bounty to DeFi Attacker Following $4.7 Million Theft

The Tapioca Foundation has announced a $1 million bounty for the individual behind a recent attack on its decentralized finance (DeFi) protocol which resulted in a staggering loss of $4.7 million. This incident was classified by the foundation as a “social engineering attack” that exploited vulnerabilities within their system.

In an on-chain message dated October 20, the Tapioca Foundation directly addressed the attacker, proposing a settlement that would allow them to keep $1 million in Tether (USDT) with no further obligations. The foundation emphasized the urgency of this offer as it seeks the return of the remaining $3.7 million stolen during the breach.

Details of the Attack

The attack occurred on October 18 and involved the theft of 591 Ether (ETH) along with $2.8 million in USD Coin (USDC). Tapioca disclosed that the attacker capitalized on a flaw in the vesting contract associated with its TAP token and the USDO stablecoin. The attacker successfully claimed and sold vested TAP tokens while also manipulating the USDO stablecoin by adding a minter, which allowed them to create an infinite supply. This manipulation drained a liquidity pool containing both USDO and USDC.

Co-founder Matt Marino shared additional insights about the incident on the project's Discord channel. He revealed that another co-founder known by the pseudonym “Rektora” had been phished during an interview process. Rektora accidentally downloaded malicious software that altered a transaction, granting the attacker access to critical contracts and systems.

Recovery Efforts and Impact

In a surprising development, Marino later announced that the Tapioca Foundation had managed to “hack the hacker,” successfully recovering 1,000 ETH valued at over $2.7 million. This amount had been collateral backing the USDO stablecoin in a liquidity pool. Despite this recovery the attack severely impacted the value of the TAP token. Before the incident TAP was trading at approximately $1.40 but subsequently plummeted to just 2 cents according to CoinGecko.

The attacker’s wallet still retains funds on the BNB Chain, raising questions about whether the remaining stolen assets will be returned to the foundation.

The Growing Threat of Phishing Attacks

The incident highlights a broader trend in the cryptocurrency space where phishing attacks continue to pose a significant threat to users. In September alone more than 10,000 individuals lost over $46 million to various crypto phishing scams according to Scam Sniffer a Web3 anti-scam platform. The platform reported that 10,805 victims collectively suffered losses of $46.7 million from these scams during the month.

Recent reports have indicated that cybersecurity scammers are increasingly utilizing automated email replies to compromise systems and deliver stealthy crypto mining malware. This follows the emergence of another malware threat identified in August known as the “Cthulhu Stealer,” which targets MacOS systems by disguising itself as legitimate software while gathering personal information including MetaMask passwords and private keys.

In a separate incident a fraudulent crypto wallet application on Google Play has reportedly stolen $70,000 from users in a sophisticated scam described as a world-first targeting mobile users exclusively. This malicious app known as WalletConnect mimicked the reputable WalletConnect protocol and executed a scheme designed to drain crypto wallets.