Tapioca DAO hit by $1.6 million hack

A significant security breach has rocked the decentralized finance (DeFi) protocol Tapioca DAO, leading to a steep decline in the value of its TAP token. On Friday, an attacker was able to drain 28 million TAP tokens from one of Tapioca DAO’s smart contracts.

The hacker then transferred these tokens and exchanged them for 1600 ETH, which he or she then converted to Tether’s USDT stablecoin, according to Cyvers Alert. The funds were then swapped to the Binance Smart Chain through the Stargate bridge.

🚨ALERT🚨Our system has flagged multiple suspicous transactions involving @tapioca_dao!

It might be possible that @tapioca_dao's deployer address has been compromised and owner of the vesting contract has been changed!
New owner has withdrawn around more than 21M $TAP token… pic.twitter.com/KGc1fpMtAw

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) October 18, 2024

This led to a market crash as a huge amount of TAP tokens were sold off suddenly. The price of the token dropped from $1.43 to $0.05 within a few hours, erasing 96% of its value. This is a big loss to both the protocol and those who had invested in it.

Where the Stolen Funds Went

The stolen $TAP tokens were then converted to ETH and transferred to the Binance Smart Chain via Stargate Finance. This move enabled the exploiter to shift the assets quickly and possibly cover the tracks. 

Apart from the stolen $1.6 million, the hacker’s wallet has about $4.7 million worth of stablecoins, including BSC-USD and USDC, which points to an experienced attacker who has previously targeted DeFi protocols.

The hacker was able to get funds from Tapioca DAO co-founder, 0xRektora, using a phishing attack.  As stated by Matt Marino, another co-founder, the attack began when 0xRektora received a message concerning a friend’s employment with another company. 

This interaction made him let down his guard and he connected his hardware wallet through which the hacker took control of the TAP tokens. Phishing is a common tactic in the crypto world where attackers try to trick people into divulging information.

Marino said in the protocol’s Discord after the attack that they had informed the police, the lawyers and SEAL911, a security team, on the matter. The protocol also engages Binance in an effort to trace and possibly retrieve the stolen funds.

Tapioca DAO launched its TAP token in June and described itself as a cross-chain lending and borrowing platform. The protocol offers the use of crypto assets with its newly launched stablecoin, USDO, and plans to work on multiple chains.

This is not the first time that hackers have attacked the crypto ecosystem. Just a few days earlier,  another DeFi protocol, Radiant Finance, faced the same problem when malware was introduced to the computers of the team members resulting in a loss of $53 million. Another breach happened at Singapore-based BingX and the hackers were able to make away with $40 million before the platform was reopened.