Tapioca DAO breach led to loss of over $4m assets

The crypto space is no stranger to hacks and attacks that has led to the loss of significant amount of funds. Sometimes, users of defi platforms or crypto exchanges become the victims. At other times, operators are targetted. The later is true of Tapioca defi protocol in which significant amount of liquidity was stolen from some of its smart contracts.

Just over the weekend, the Tapioca DAO announced that an attacker has made away with close to $5m in trading liquidity after successfully launching an attack on smart contracts holding Vested TAP tokens. Several vested trading pairs were targeted. At the end a huge amount of Ethereum and USDC was stolen and diverted to wallets belonging to the attacker.

Malicious software led to successful hack

The attack on Tapioca DAO, one that is typical of the defi space, happened just over the weekend. Its a common form of attack where the admin of a defi project is fooled and made to download malicious software that the attacker could use to manipulate vested smart contracts and gain unauthorized access to its liquidity pool. One of the Tapioca admin Rektora fall victim to such trick and downloaded infected software which gave the attacker control over vested token pairs. It resulted in the loss of 591 ETH and very close to $3m USDC.

The Tapioca security teams and other contracted web3 security experts are working round the clock to see how and if funds lost in this attack could be recovered. The attacker has converted all stolen assets into USDT and moved them to a secure wallet. Efforts are being made to secure the defi protocol and ensure that there is no further loss of funds or assets.

The recovery process

Efforts are being made to see if the funds lost could be recovered. While that is ongoing, Tapioca has warned users to be alert to phishing links and other social engineering tactics used by attackers especially after an incident like this one. Below is an announcement made on the protocol's X platform:

We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control. Please be aware of misinformation, scam links, and do not interact with any Tapioca contracts or tokens until further information is provided. Source

Initially as seen above, the security and recovery team advised users not to interact with Tapioca smart contracts in order to contain the size of the loss. Its been more than 48 hours since the event happened. The team having made some progress announced later that users are free again to interact with the protocol's smart contract as everything is secure once again. The platform is open for use by anyone while efforts are then focused fully on trying to recover the funds stolen by the attacker if possible

A $1m bounty for the attacker

Tapioca choose to appeal to the attacker to return the funds stole in exchange for $1m in USDT. This is a popular recovery method that sometimes work for protocols involved in an attack like this. If the attackers responds and return the funds, they can take the bounty without any further actions to be taken against them.

Tapioca announced on X that they have offered the bounty and are still awaiting the response of the criminals who converted the stolen funds to USDT already. It remains to be seen if this method would yield results and lead to retuning and recovery of the stolen funds. Here is what the team updated about contacting the attacker:

Attached below is a link to the official on-chain correspondence from Tapioca DAO Foundation to the hacker responsible for the incident on October 18th, 2024.source

Beware, anyone could be a victim

The crypto space is full of opportunities, but equally there are many criminals lurking around to steal your assets. Phishing links are one of the most popular methods used by attackers. So always double-check to see that you are interacting with links from an official channel. Its important to check the URL again and again so that you do not end up unknowingly releasing keys and passwords to a phishing website.

And just as seen in the above incident, attackers might try to manipulate you into downloading a piece of software that might look genuine. Again, if the person you are interacting with is a stranger or hides their Identity, its better not to download the software. Its best to only download software from official channels approved by the project and not from individuals or third parties. These are easy safeguards to keep criminals away from your hard-earned assets.

Thumbnail from pixabay

Posted Using InLeo Alpha