Decentralized finance (DeFi) protocol Tapioca DAO is offering a $1 million bounty to a hacker who stole $4.7 million in a recent “social engineering attack.” The protocol hopes the large bounty will entice the attacker to return the majority of the stolen funds.
Tapioca’s $1 Million Bounty Offer
In an onchain message sent on October 20 to the attacker’s crypto wallet, the Tapioca Foundation proposed a settlement in which the hacker could keep $1 million in Tether (USDT) — far more than the typical 10% reward offered in such cases — if the remaining $3.7 million is returned. Tapioca emphasized that this deal would allow the attacker to walk away with the funds “legally and with no strings attached.”
The attack occurred on October 18, when the hacker exploited Tapioca’s vesting contract for its Tapioca DAO Token (TAP) and USDO stablecoin, stealing 591 Ether (ETH). The attacker also managed to mint unlimited amounts of USDO, draining a liquidity pool for USDO and USDC tokens.
Details of the Social Engineering Attack
Tapioca co-founder Matt Marino disclosed on the project’s Discord that the breach resulted from a phishing scheme targeting fellow co-founder “Rektora.” Rektora had unknowingly downloaded malicious software during an interview process, which allowed the attackers to compromise the vesting contract and gain control over the tokens.
Following the attack, nearly 30 million TAP tokens were withdrawn from the contract, swapped for around $1.5 million in ETH, converted into USDT, and sent to the BNB Chain. As of now, those funds remain in the attacker’s wallet, according to blockchain transaction data.
Recovery Efforts and Impact on TAP Token
Despite the significant loss, Tapioca DAO managed to “hack the hacker” and recover 1,000 ETH (roughly $2.7 million), which was collateral backing the USDO stablecoin in a liquidity pool. However, the attack has severely impacted the value of the TAP token, which has plummeted from around $1.40 to just 2 cents, according to CoinGecko data.