Tapioca DAO, a decentralized money market protocol on LayerZero, suffered a security breach on October 18, causing its native TAP token to lose more than 90% of its value.
Blockchain security firm Cyvers has revealed that the protocol’s deployer address was compromised, leading to unauthorized changes to the ownership of the vesting contract.
The attack
The attacker exploited this vulnerability to withdraw over 21 million TAP tokens using an emergency backup function. The tokens were then exchanged for 591 ETH, causing APR to crash by 93%.
Further investigation revealed that the attacker used Stargate to link some of the stolen assets to BNB Chain. At press time, the suspicious address held approximately $4.7 million worth of BSC-USD and USDC on the BNB chain.
Cyvers estimates total losses from the breach to be approximately $16.9 million. However, Web3 security auditor Hacken suggested that figure could be as high as $38 million.
In the aftermath of the attack, Hacken warned users of phishing attempts. Malicious actors are reportedly spreading fake links promising refunds while tricking users into revoking their accounts.
The security company warned:
“We have noticed fake accounts pretending to be Tapioca_dao and posting phishing links under this thread. Please do not interact with suspicious links or messages claiming to be from Tapioca. Stay vigilant and protect your assets.
Tapioca DAO, which is building a DeFi money market and stablecoin on Layer Zero’s cross-chain infrastructure, has yet to issue a public statement regarding the breach as of press time.
Connection with North Korea
On-chain investigator ZachXBT speculated that the Tapioca DAO hack could be linked to malware uploaded by a team member.
He pointed out that this exploit could be linked to a series of recent hacks targeting projects such as Nexera, Concentric, Masa, SpaceCatch, Reach, Serenity Shield and MurAll.
ZachXBT highlighted that these attacks are part of a larger operation involving fake employment scams, potentially linked to state-sponsored threat actors from North Korea. However, there is no conclusive evidence linking the Tapioca breach to North Korea as of press time.