After a DeFi protocol called Tapioca DAO was hit by a $4.7 million exploit, the developers have decided to offer a $1 million bounty to the attacker if they return the remaining funds. On October 20, the Tapioca Foundation sent a message on-chain to the attacker’s wallet, giving them the opportunity to walk away with the bounty without facing any legal consequences if they choose to return the remaining funds to the protocol. The foundation has offered $1 million in USDT, and the attacker has until October 22 at 4 pm UTC to accept the offer. As of now, the hacker has not responded to the bounty, and the protocol has suspended its operations, advising users not to interact with any Tapioca contracts.
The exploit on the DeFi protocol occurred on October 18 when one of its co-founders, known as “Rektora,” fell victim to a social engineering attack. Social engineering attacks involve tricking victims into revealing sensitive information or downloading malicious software or clicking on phishing links. Rektora was tricked into downloading malicious software, which allowed the attackers to compromise the ownership of the vesting contract for the protocol’s native TAP token. This enabled them to withdraw 30 million vested TAP tokens, worth around $1.40 at the time but now valued at $0.01 following the exploit. Additionally, the attackers gained control over the USDO stablecoin contract.
In total, the attacker stole approximately $4.4 million, including $2.8 million in USDC and $1.57 million in ETH, from the USDO/USDC liquidity pool. The stolen funds were quickly converted into ETH, then USDT, and eventually transferred from Arbitrum to the BNB Chain, where they currently remain. In response, Marion, another co-founder, allegedly hacked the attacker and managed to recover 1,000 ETH.
In the past, there have been successful attempts to recover stolen funds through bounty programs. For example, DeFi lending protocol Euler Finance recovered over 58,000 ETH that was stolen in a flash loan attack by sending an on-chain message demanding the return of the funds and offering a $1 million reward for information leading to the identification of the attacker. However, not all bounty offers result in the recovery of stolen funds. Crypto exchange WazirX launched a bounty program for $11.5 million after losing over $234 million worth of various cryptocurrencies, but the stolen funds have not been recovered as the attackers have laundered significant amounts of the loot through platforms like Tornado Cash.