Tapioca DAO: The $4.4 Million Security Breach

In partnership with

TL;DR

Tapioca DAO suffered a $4.4 million loss due to a security breach involving compromised key management. The attacker exploited vulnerabilities in the vesting and stablecoin contracts, resulting in significant thefts. However, Tapioca successfully recovered 1,000 ETH, bringing its treasury to $4.2 million, while scammers have since targeted users with phishing attempts.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

The recent breach at Tapioca DAO on Arbitrum, resulting in a $4.4 million loss, exposes ongoing security challenges in DeFi protocols.

The attack was reportedly due to a private key compromise, emphasizing the sector’s need for stronger key management practices.

While Tapioca DAO has managed to recover some funds, the total damage remains uncertain, causing understandable concern among its users.

In the aftermath, speculation has emerged about the involvement of a well-known hacker group, possibly even state-sponsored, with North Korean links suggested.

This incident follows a recent RAT malware attack on Radiant Capital, intensifying concerns around the rise of increasingly sophisticated cyber threats targeting DeFi.

Such events lead to important questions: are we witnessing the beginning of a new wave of financial cyber warfare, or is this simply another instance of security vulnerabilities being exploited in the world of decentralized finance?

As the crypto community slept, security researcher 0xTeun raised an urgent alert: Tapioca DAO was under siege.

The attacker reportedly exploited the Emergency Rescue function within one of the vesting contracts deployed by the Tapioca Deployer, showcasing yet another vulnerability in DeFi security.

Moving quickly, the attacker withdrew around 30 million TAP tokens and converted them into 591 ETH, triggering a steep 97% plunge in TAP’s value. However, the attack didn’t end there.

Utilizing a series of multi-calls to target various addresses, including the $USDO stablecoin contract, the attacker managed to mint an astonishing five quintillion $USDO.

Because, in their view, why settle for millions when quintillions are on the table?

After a rapid pursuit through the blockchain, investigators traced the stolen assets as they were bridged to the BNB Chain. Currently, the suspicious address holds around $4.4 million in stablecoins, including BSC-USD and USDC.

Tapioca DAO responded six hours post-attack, finally breaking their silence. In their statement, Tapioca redefined the breach, characterizing it not as a conventional hack, but rather as a “social engineering attack”.

The attacker reportedly managed to gain control over the TAP token vesting contract's ownership, enabling them to claim and offload an astonishing 30 million vested TAP tokens.

But that wasn’t the end of the exploit. The attacker also compromised ownership of the USDO stablecoin contract, adding themselves as a minter with unrestricted access to mint USDO, which allowed them to drain the USDO/USDC liquidity pool.

According to Tapioca DAO's damage assessment, approximately 591 ETH and 2.8 million USDC were stolen, which aligns with blockchain analysts’ findings.

This breach specifically targeted Tapioca's vesting contract, a critical component designed to secure token allocations and prevent unauthorized access.

Attack Details:

• TAP Vesting Contract: 0x2997C5ddD3070A46E9938261ce0A16a237121cb0

• Exploiter Address: 0x70285a11489bed93686410EBC727057CAfb8129D

Attack Transactions:

1. Transaction 1: 0x8cf8def40fa2beab66f46863478bea71ad8f4512003caf2fa639cc5a00550753

2. Transaction 2: 0x1abb8cf0b0af2ce19a30ce5103d51269d4600d9aeba045260feb588db89d76a4

3. Transaction 3: 0x174c3deaf563be1bb6d873ba279421e8588acc888ef672bafd5efe7441aae74f

After exploiting the TAP vesting contract, the hacker shifted focus to Tapioca's stablecoin, transforming the USDO contract into an endless source of funds.

USDO Stablecoin Contract: 0xEB99062643cA5Ab880c077288345E0B14B297432

USDO Infinite Mint Exploit Transaction: 0x0bca43cfb5b14ea039f2b329cb6074383d54ed8240963014ccb6400befa5a4e3

The stolen assets were then bridged from Arbitrum to Binance Smart Chain (BSC), consolidating funds through BSC Address: 0x69d91e56ca80f2a4d7b808b59053ea5c5505ffe2.

In total, this exploit leveraged vulnerabilities in both the TAP vesting and USDO stablecoin contracts, allowing the hacker to claim millions in assets across multiple blockchain networks.

The situation took a fascinating turn as on-chain investigator ZachXBT weighs in with notable insights.

He suggests that the breach at Tapioca DAO may be part of a broader pattern of recent hacks targeting various projects, including Nexera, Concentric, Masa, and SpaceCatch.

A common theme among these incidents appears to be the use of malware, potentially distributed through deceptive job listings.

This alarming trend implies that “We’re always hiring!” could be interpreted as a covert signal for “We’re always hacking!” Moreover, Zach hints at a troubling connection to North Korean state-sponsored hackers, known for their sophisticated cyber operations.

In a remarkable development, Tapioca DAO has announced that they managed to counter the attack, effectively reversing the situation. This unexpected twist adds a dramatic layer to the unfolding narrative within the DeFi landscape.

Tapioca DAO recently announced in their Discord channel, "We have hacked the hacker! We recovered 1,000 ETH, which is now securely held in the DAO multisig wallet."

This recovered amount was initially collateral within Big Bang Origins, utilized to mint USDO for the USDO/USDC liquidity pool. With this recovery, Tapioca's treasury now totals approximately $4.2 million.

The team is committed to providing further details in an upcoming post-mortem report and has credited Seal911 and EnigmaDarkLabs for their valuable support during this counter-operation.

As Tapioca continues to navigate this incident, the ongoing developments are expected to yield more intriguing insights.

However, the situation has also attracted opportunistic scammers, who have been impersonating Tapioca DAO and disseminating malicious links. Hacken has issued a caution to users, advising them not to fall for these phishing attempts.

Unfortunately, it appears someone did take the bait. Speculation arises over whether a member of the Tapioca team may have inadvertently succumbed to a cleverly disguised phishing scheme, potentially served up by the hacker in the guise of an enticing "job opportunity."

In the wake of Tapioca DAO's $4.4 million breach, the incident serves as a stark reminder of incompetence intertwined with the unsettling specter of North Korean involvement.

This situation adds another chapter to the "How Not to DeFi" manual, highlighting how easily a protocol can become a cautionary tale due to a single compromised key.

The landscape of security has dramatically shifted, moving beyond traditional smart contract audits to a more complex game of “Who's the Mole?”

While improvements have been made in code auditing practices, there's a growing oversight in vetting potential threats from within the development teams themselves.

Rogue actors have infiltrated deeper, not only targeting our protocols but also contributing to their development.

They may be hiding in our VS Code extensions, lurking within our job applicant pools, and perhaps even present in obscure Discord servers we casually joined last week.

The need for a comprehensive security strategy that encompasses both code and human elements has never been more urgent.

At this pace, it appears that by 2025, nearly every Web3 project could find itself with its own North Korean hacker on staff.

In this unpredictable world of crypto, the boundaries between technological advancement and malicious intent are becoming increasingly blurred. It raises concerns that your next coworker might be secretly developing code for a regime like Kim Jong-un's on the side.

This leads to a critical question: Are we witnessing the realization of the cyberpunk future we once anticipated, or have we collectively fallen victim to a sophisticated phishing scheme that undermines the foundational trust of the digital landscape?

New Decentraland desktop client for Mac and Windows

• Enhanced avatars and social interactions

• Improved performance and upgraded environments

• New features: badges, daily quests, and mini-games

Download Decentraland, a virtual social world, to start exploring to start exploring.