After a $4.7 million exploit hit the DeFi protocol Tapioca DAO, the developers have put up a $1 million bounty for the attacker if they return the remaining funds.
On Oct. 20, the Tapioca Foundation sent an on-chain message to the wallet linked to the attacker offering them a chance to legally “walk away” with the bounty without any legal repercussions if they chose to return the remaining funds to the protocol.
The foundation has offered $1 million USDT if the attacker returns the remaining $3.7 million to the protocol, and has given until Oct. 22, 4 pm UTC to accept the offer.
At the time of writing the hacker has not responded to the bounty, while the protocol has suspended operations and urged users not to interact with any Tapioca contracts.
What happened?
The DeFi protocol was targeted on Oct. 18 after its pseudonymous co-founder “Rektora” fell victim to an alleged social engineering attack. Such attacks rely on tricking victims into revealing sensitive information or misleading them into downloading malicious software or clicking on phishing links.
According to Tapioca co-founder Matt Marino, Rektora was tricked into downloading some malicious software which allowed the attackers to compromise the ownership of the vesting contract for the protocol’s native TAP token.
This allowed them to withdraw 30 million vested TAP tokens—worth around $1.40 at the time but now valued at $0.01 following the exploit. In addition, the attackers also gained control over the USDO stablecoin contract.
In total, the attacker made off with approximately $4.4 million, including $2.8 million in USDC and $1.57 million in ETH, drained from the USDO/USDC liquidity pool. The stolen funds were quickly swapped for ETH, then USDT, and eventually bridged from Arbitrum to the BNB Chain, where they currently remain.
Marion allegedly “hacked” the attacker and managed to recover 1,000 ETH, per an Oct. 19 update on the project’s Discord.
Last year, DeFi lending protocol Euler Finance successfully recovered over 58,000 ETH stolen in a flash loan attack. At the time, the protocol sent an on-chain message demanding the return of the funds, and threatening to offer a $1 million reward for information leading to the attacker’s identification if the funds weren’t returned.
However, not all bounty offers lead to the recovery of stolen funds. For instance, crypto exchange WazirX launched a bounty program for $11.5 million after it lost over $234 million worth of several cryptocurrencies.
Despite the reward offer, the stolen funds remain unrecovered, with attackers laundering significant amounts of the loot through platforms like Tornado Cash.
