Tapioca DAO, a decentralised finance (DeFi) protocol that operates as a money market on LayerZero's cross-chain infrastructure, recently faced a significant security breach. This incident led to the theft of approximately $4.7 million, primarily in the form of ETH and USDC. The hack was attributed to social engineering tactics that exploited vulnerabilities in the project's smart contracts, particularly those governing its vesting system and stablecoin functionality.
Behind the Breach
The attack on Tapioca DAO occurred on October 18, 2024, when an attacker utilised phishing methods to gain access to the private keys of a key team member. This compromised account enabled the attacker to manipulate the vesting contract, allowing them to withdraw over 21 million TAP tokens through an emergency rescue function. The attacker then swapped these tokens for 591 ETH, subsequently bridging the stolen assets to the Binance Smart Chain using Stargate Finance.
The vulnerability exploited in this breach was primarily due to a lack of adequate security protocols surrounding the contract ownership and vesting mechanisms. The attacker was able to add a minter to the USDO stablecoin, creating an infinite supply and draining liquidity pools.
Rivanorth is a Web3 cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.
Visit rivanorth.com to find out more.
You build the future. We help you secure it.
.