In a recent security breach, Tapioca DAO faced a massive exploit that drained the majority of its funds, causing a steep drop in the value of its native TAP token. The incident resulted in the theft of approximately $4.5 million worth of cryptocurrency. However, thanks to quick action, the DAO was able to prevent the theft of $2.7 million in ETH. With support from blockchain security firms, the team is now working to recover the remaining stolen assets.
What Happened?
According to initial reports, the attacker exploited a vulnerability in the DAO’s vesting contract. This allowed them to access and sell 30 million vested TAP tokens, initially worth around $1.40 per token but dropped to less than $0.04 following the breach. The blockchain security firm Fuzzland suspects the attacker may have obtained access through social engineering techniques, tricking a team member into exposing the private keys needed to execute the attack.
The attacker successfully drained over $4.4 million in assets, which included:
- $2.8 million in USDC
- $1.57 million in ETH from the USDO/USDC liquidity pair
The stolen funds were quickly swapped for ETH, then USDT, and later bridged from Arbitrum to BNB Chain.
Recovery Efforts and Response
Despite the scale of the attack, Tapioca DAO managed to protect a portion of its assets. With the assistance of blockchain security experts, the DAO transferred 1,000 ETH (worth approximately $2.7 million) to a secure vault. According to co-founder Matt Marino, this ETH was part of the DAO collateral used to mint the stablecoin USDO for the USDO/USDC liquidity pool.
Official Statements and Next Steps
The Tapioca Foundation has advised all platform users to revoke any approvals to the compromised contracts until the issue is fully resolved. Users are encouraged to contact support for assistance in doing so. The recovery efforts are ongoing, with Fuzzland and other blockchain security firms closely collaborating to trace and recover the stolen assets.
The Growing Threat of Social Engineering in Crypto
This incident highlights a growing trend in blockchain security breaches through social engineering. According to industry experts like ZachXBT, attackers are increasingly using fake job scams and other social tactics to gain access to private information. This case is reminiscent of similar attacks attributed to North Korean actors, although their direct involvement in this breach has not yet been confirmed.
While the Tapioca DAO exploit serves as a stark reminder of the vulnerabilities that exist in the world of decentralized finance, the swift action of the DAO team and the assistance of blockchain security professionals prevented even greater losses. With a treasury currently standing at $4.2 million, the DAO is continuing its efforts to fully recover from this attack.
FAQ
1. What led to the Tapioca DAO exploit?
The attacker exploited a vulnerability in the DAO's vesting contract, allowing them to access and sell vested TAP tokens and drain liquidity from the USDO/USDC pool.
2. How much cryptocurrency was stolen in total?
Approximately $4.5 million worth of assets were stolen, including $2.8 million USDC and $1.57 million in ETH.
3. How much was recovered or saved during the exploit?
Tapioca DAO managed to move 1,000 ETH (worth $2.7 million) to a secure vault, preventing further losses.
4. What steps should users take after the exploit?
Users are advised to revoke approvals to the compromised contracts and reach out to Tapioca Foundation's support for help with the process.
5. How did the attacker gain access to the DAO’s private keys?
It is suspected that the attacker used social engineering to trick a team member into revealing sensitive information needed to gain control.