Tapioca DAO stops 1,000 ETH worth $2.7 million from being stolen following exploit that drains majority of its funds

The Tapioca DAO suffered a massive exploit leading to an over 95% drawdown in the TAP token price. About $4.5 million worth of cryptocurrencies were stolen, though the team says it's in the process of recovering funds with assistance from web3 security firm Fuzzland and others.

"All current Tapioca DAO Platform users are advised to revoke approvals to our Contracts until the recent Compromise has been resolved,” the Tapioca Foundation said on X. “Please reach out to website support upon any issues revoking approvals."

According to the foundation, the attacker was able to compromise the token’s vesting contract giving him access to sell its 30 million vested TAP tokens — at the time worth around $1.40, now worth less than $0.04 — as well as the USDO stablecoin contract.

In total, the attacker walked away with about $4,405,600, including $2.8 million USDC and $​​1,575,606 in ETH drained from the USDO/USDC liquidity pair. The stolen funds were swapped for ETH, then USDT, and then bridged from Arbitrum to BNB Chain where, at press time, they remain.

Tapioca is a decentralized money market protocol based on LayerZero for borrowing cryptocurrencies across multiple blockchains. It uses a stablecoin called USDO and Tapioca Omnichain Fungible Tokens (TOFTs) to enable users to move wrapped assets between networks.

According to Fuzzland, it seems likely the attacker obtained the private keys through social engineering. On Discord, Tapioca co-founder Matt Marino said Discord member 0xRektora was contacted about a friend being hired, which tricked him into lowering his guard enough to connect the hardware wallet that the attacker used to gain ownership of TAP.

“North Korea is always the garbage collector here,” Fuzzland said, echoing ZachXBT that the connection to the Hermit Kingdom has not yet been proven and that the situation is “complicated.”

Those attacks “were the result of fake job scams” where North Korean actors posed as interview subjects or vendors to gain inside access or information needed to steal funds, ZachXBT said. There have been a slew of anecdotes and a recent CoinDesk investigation suggesting this type of “contagious interview” scam is a widespread and growing issue across crypto.

Recovering funds?

“We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control,” the foundation wrote.

Tony, a security engineer at Fuzzland and member of the volunteer emergency response team SEAL911, was one of the members in the war room, which worked to help them recover a portion of the funds that the hacker didn't notice, he told The Block.

According to Marino on Discord, the organization moved 1,000 ETH worth about $2.7 million from a vault to a secure location — the DAO multisig. "The 1000 ETH was DAO collateral within Big Bang Origins to mint USDO for USDO/USDC LP," he added.

"The team attempted to rescue these assets by first approving the Multicall, which anyone can take away these assets. Luckily, no one found out and they managed to still rescue these assets," Fuzzland co-founder Chaofan Shou told The Block.

However, the response team has not yet been able to recover any of the stolen assets. The DAO’s treasury currently stands at $4.2 million, Marino said.