Tapioca DAO narrowly escaped losing 1,000 ETH worth $2.7 million after an attack drained most of its funds and caused a 95% drop in the price of the TAP token.
Despite the attack resulting in the theft of approximately $4.5 million worth of cryptocurrency, the team is working on fund recovery efforts with the support of web3 security firm Fuzzland and other partners.
In a statement on X (formerly Twitter), the Tapioca Foundation advised users to immediately revoke their contract approvals as a precautionary measure until the issue is resolved. “If you experience any issues revoking approvals, please reach out to website support,” the foundation added.
The vulnerability occurred when an attacker hijacked the Tapioca DAO’s vesting contract, allowing them to access and sell 30 million vesting TAP tokens, which were initially valued at around $1.40 but are currently worth less than $0.04. The attacker also took control of the USDO stablecoin contract, resulting in a loss of approximately $4.4 million, including $2.8 million USDC and 1.6 million ETH. The stolen funds were quickly converted to ETH, then USDT, and eventually bridged from Arbitrum to the BNB Chain, where they currently remain.
Tapioca, a decentralized money market protocol built on LayerZero, made it possible to borrow cryptocurrencies across multiple blockchains using the USDO stablecoin and Tapioca Omnichain Fungible Tokens (TOFTs).
Fuzzland reported that the attack likely involved social engineering tactics where the attacker obtained private keys. According to Tapioca co-founder Matt Marino, the attacker tricked a Discord member named 0xRektora into pretending to be a recruiter. The deception led the member to connect a hardware wallet, which gave the attacker access.
Fuzzland and independent blockchain researcher ZachXBT have raised the possibility of North Korea’s involvement, citing past incidents where North Korean attackers used fake job scams to steal money. However, they stressed that the connection to the country has not been proven and the situation is complex.
Tapioca’s team coordinated a response with Fuzzland and emergency response group SEAL911 to recover some of the remaining assets. Tony, a security engineer at Fuzzland, confirmed that the team managed to secure 1,000 ETH from a vault by moving it to the DAO’s multisig wallet. These funds were actually DAO collateral used to mint USDO for the USDO/USDC liquidity pool within Big Bang Origins.
Despite this partial success, the response team has yet to recover any of the stolen assets. According to Marino, the DAO currently has $4.2 million in its treasury. The team continues to work on further steps to preserve and recover the funds.
*This is not investment advice.