- DeFi platform Tapioca DAO is using a higher bounty to recover $4.7 million
- Tapioca has offered more than 20% of the hacked funds to the attacker
- The DeFi platform said that the hacker used a social engineering scheme to infiltrate the protocol
DeFi protocol Tapioca DAO has offered its hacker a bug bounty of $1 million, which is more than 20% of the $4.7 million siphoned from the platform. The protocol said that the hacker used a “social engineering” scheme to compromise several liquidity pools and the network’s “token vesting contract.” Tapioca said that the bounty is meant to entice the hacker into returning most of the funds, something that may become the industry standard instead of the usual bounty amount of 10%.
No Strings Attached
Tapioca sent an on-chain message to the attacker noting that the bounty allows the hacker to keep the funds “that are fully legally” theirs. The protocol added that the bounty doesn’t come with “strings attached.”
Attached below is a link to the official on-chain correspondence from Tapioca DAO Foundation to the hacker responsible for the incident on October 18th, 2024.https://t.co/T9LEMthT0O
— Tapioca Foundation (@tapioca_dao) October 20, 2024
The Tapioca Foundation disclosed that they’ve involved “necessary individuals and entities,” an indication it may involve law enforcement agencies in case the hacker decides to keep the entire loot.
Tapioca has warned users against interacting “with any Tapioca contracts.” It has also revealed that it’s conducting a post-mortem of the incident and devising a migration plan for its native token.
Please await the official announcement, Post Mortem, and TAP Token Migration Plan regarding today’s unfortunate events for a “source of truth” on all details surrounding the matter. Take anything stated otherwise as speculation or misinformation.
Please continue to not interact…
— Tapioca Foundation (@tapioca_dao) October 18, 2024
The protocol’s TAP token value has plummeted from a high of around $1.45 on October 19 to a low of $0.014 on October 21 according to CoinGecko. The protocol admitted to being hacked on October 18.
Not Every Hacker Wants a Bounty
Tapioca offering a higher bounty than the usual 10% isn’t a guarantee that the hacker will return the funds. In the past, malicious actors like the PlayDapp hacker have refused to take a white hat bounty.
Others like the Mango Markets attacker have ignored a bounty and expressed the need to keep the loot despite being identified and taken to court.
With the hacker yet to transfer the stolen funds to other wallets, it’s likely he’ll take the bounty.