This incident once again brought to the fore major security vulnerabilities in the decentralized finance (DeFi) ecosystem. On October 20, the Tapioca Foundation sent an on-chain message to the wallet associated with the attack, offering the attacker the opportunity to get away with the incident “with impunity” without facing legal consequences.

The Foundation announced that the attacker would receive a reward of 1 million USDT if they returned the remaining $ 3.7 million, and gave them until October 22 at 16:00 UTC to accept this offer.

The attacker has yet to respond to the bounty and the protocol has suspended all operations, warning users not to interact with any Tapioca contracts.

This major attack took place on October 18, as a result of a social engineering attack on the protocol’s pseudonymous co-founder, “Rektora”. Social engineering attacks often mislead victims into revealing sensitive information or downloading malicious software.

According to the statement made by Matt Marino, Rektora’s download of a malicious software allowed the attackers to gain control over the vesting contract of the protocol’s native token, TAP.

This control allowed the attackers to withdraw 30 million TAP tokens. The price of the TAP token, which was worth approximately $1.40 per token at the time of the incident, dropped to $0.01 after this attack. Additionally, the attackers also compromised the USDO stablecoin contract, stealing a total of approximately $4.4 million.

The attacker seized 2.8 million USDC and 1.57 million ETH from the USDO/USDC liquidity pool. These stolen funds were quickly converted to ETH, then USDT, and finally moved from Arbitrum to the BNB Chain.

The events that followed the attack are also remarkable. In an update about the project on Discord on October 19, Marino claimed that he managed to recover 1,000 ETH by “hacking” the attacker. However, this incident raises questions about whether the attacker will be encouraged to return the remaining funds.

These types of attacks are not new in the DeFi world. Last year, DeFi lending protocol Euler Finance successfully managed to recover 58,000 ETH stolen in a flash loan attack.

The protocol sent an on-chain message after the attack, demanding that the attacker return the funds and offering a reward of $1 million for information that would reveal the identity of the attacker if not returned.

However, not all reward offers are successful. For example, crypto exchange WazirX launched an $11.5 million reward program after a $234 million loss last year, but to date the stolen funds have not been recovered. The attackers managed to hide their tracks by laundering these funds through privacy-focused platforms such as Tornado Cash.

The situation of the Tapioca DAO has once again highlighted the ongoing challenges to the security of DeFi protocols. It remains unclear whether the attacker will accept the offer.