The Tapioca Foundation has recently taken a bold stance in the wake of a significant security breach that resulted in the loss of $4.7 million from its decentralized finance (DeFi) protocol. In a remarkable move, the foundation has announced a $1 million bounty for the return of the stolen funds and to incentivize the perpetrator to come forward.
Details of the Theft
The incident has been classified by the foundation as a “social engineering attack,” underscoring the intricate nature of the deception involved. On October 20, the Tapioca Foundation addressed the attacker directly through an on-chain message, proposing a settlement that would allow the individual responsible for the attack to retain $1 million worth of Tether (USDT) with no conditions attached. This offer stands out significantly, as it exceeds the customary 10% bounty typically seen in similar scenarios.
The Impact of the Attack
The attack occurred on October 18, and involved the illicit acquisition of 591 Ether (ETH) along with $2.8 million in USD Coin (USDC). The perpetrators specifically targeted a vulnerability in the vesting contract for the TAP token and the USDO stablecoin. By exploiting this vulnerability, the attacker was able to claim and sell vested TAP tokens and subsequently manipulated the USDO stablecoin’s supply by adding a minter, effectively creating an infinite supply and draining a connected liquidity pool.
Insights from Tapioca’s Co-Founder
Matt Marino, co-founder of Tapioca, shed light on the incident during a discussion on the project’s Discord channel. He revealed that the co-founder known as “Rektora” fell victim to a phishing attack while undergoing an interview process. In a critical misstep, Rektora inadvertently downloaded malicious software that tampered with a transaction, granting the attacker access to vital contracts.
Funds Recovered and Market Repercussions
In an unexpected turn of events, Marino later announced that Tapioca had successfully “hacked the hacker” and was able to recover 1,000 ETH, valued at over $2.7 million. This amount had been pledged as collateral for the USDO stablecoin within a liquidity pool. Despite this partial recovery, the attack significantly impacted the market value of the TAP token. Before the incident, TAP was traded at around $1.40, but its value plummeted to a mere 2 cents post-attack, as per data from CoinGecko. The attacker’s wallet still contains assets on the BNB Chain, leaving the possibility of recovering the remaining $3.7 million in question.
The Bigger Picture: Phishing Scams in Crypto
This incident is not isolated but part of a larger trend where phishing attacks have become prevalent in the cryptocurrency community. According to findings from Scam Sniffer, a Web3 anti-scam platform, over 10,000 individuals fell prey to phishing scams in September alone, totaling losses of more than $46 million. This alarming statistic highlights the ongoing risk crypto users face from such malicious activities.
New Threats in the Cyber Landscape
Furthermore, recent reports indicate that cybercriminals are evolving their tactics, utilizing automated email responses to breach systems and deploy stealthy crypto mining malware. This follows the identification of another malware threat in August, known as the “Cthulhu Stealer”, which specifically targets MacOS operating systems by masquerading as legitimate software to gather sensitive information, including MetaMask passwords and private keys for cold wallets.
Emerging Scams Targeting Mobile Users
In addition, a fraudulent crypto wallet application, named WalletConnect, was discovered on Google Play Store, reportedly siphoning off $70,000 from unsuspecting users. This sophisticated scam marks a significant development in the landscape of crypto fraud, as it was explicitly designed to target mobile users. The malicious app mimicked the actual WalletConnect protocol, showcasing the ever-evolving tactics employed by scammers in the crypto space.