Tapioca DAO Exploit

The Tapioca DAO suffered a massive exploit leading to an over 95% drawdown in the TAP token price. About $4.5 million worth of cryptocurrencies were stolen, though the team says it's in the process of recovering funds with assistance from web3 security firm Fuzzland and others.

> "All current Tapioca DAO Platform users are advised to revoke approvals to our Contracts until the recent compromise has been resolved,” the Tapioca Foundation stated on X. “Please reach out to website support upon any issues revoking approvals."

The Attack

According to the foundation, the attacker compromised the token’s vesting contract, giving him access to sell 30 million vested TAP tokens — which were worth around $1.40 at the time and are now worth less than $0.04 — and the USDO stablecoin contract.

In total, the attacker drained about $4,405,600, including $2.8 million USDC and $1,575,606 ETH from the USDO/USDC liquidity pair. The stolen funds were converted to ETH, then USDT, and subsequently bridged from Arbitrum to BNB Chain, where they still remain.

Tapioca is a decentralized money market protocol based on LayerZero that allows borrowing of cryptocurrencies across various blockchains. It uses a stablecoin called USDO and Tapioca Omnichain Fungible Tokens (TOFTs) for moving wrapped assets between networks.

Fuzzland indicates that the attacker likely obtained the private keys via social engineering tactics. On Discord, Tapioca co-founder Matt Marino explained that Discord member 0xRektora was misled into connecting his hardware wallet, which the attacker used to take over TAP.

> “North Korea is always the garbage collector here,” Fuzzland remarked, noting that any connection to the Hermit Kingdom has yet to be verified and that the situation is “complicated.”

Recovering Funds?

“We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control,” the foundation reported.

Tony, a security engineer at Fuzzland, was part of the war room aimed at recovering a portion of the funds that the hacker overlooked. According to him, the organization managed to relocate 1,000 ETH (approximately $2.7 million) from a vault to a secure location — the DAO multisig.

The 1,000 ETH was collateral within Big Bang Origins to mint USDO for the USDO/USDC LP. “The team attempted to rescue these assets by first approving the Multicall, which anyone can use to take these assets. Luckily, no one found out and they managed to recover these assets,” stated Fuzzland co-founder Chaofan Shou.

Despite their efforts, the response team has not yet recovered any of the stolen assets. Here, the DAO’s treasury currently stands at $4.2 million as per Marino’s disclosure.