Explained: The Tapioca DAO Hack (October 2024)

In October 2024, Tapioca DAO became one of many DeFi projects to suffer a private key compromise this year. In this case, the attacker managed to steal an estimated $4.4 million from the protocol, though some funds were recovered.

Inside the Attack

According to a posting by the Tapioca Foundation, this incident was the result of a social engineering attack. While the exact details have not yet been released, one common tactic used by the North Korean Lazarus Group is to reach out to blockchain developers and team members with fake job postings. During a skills assessment, they’re instructed to download a code repository or program that installs malware on their computer and steals private keys.

In this case, the Tapioca DAO attacker used a compromised key to take over the project’s token vesting contract. With this access, they were able to steal the 30 million vested TAP tokens in the contract.

The attacker went on to gain control over the project’s $USDO stablecoin contract as well and performed a malicious minting attack. This resulted in the creation of 5 quintillion $USDO. They also drained $3 million from the USDO/USDC Uniswap pool. 

Across the various attacks, an estimated 591 ETH and 2.8 million USDC were stolen. A later announcement by the Tapioca Foundation on Discord stated that they had successfully hacked the attacker to retrieve 1000 ETH.

Lessons Learned from the Attack

The Tapioca DAO hack was linked to several other recent hacks of DeFi projects. These largely involved the deployment of malware via social engineering that allowed the attackers to compromise private keys and drain funds from impacted projects. This modus operandi is commonly attributed to the Lazarus Group, which specializes in social engineering attacks and has performed many similar hacks in the DeFi space.

These attacks are generally sophisticated, and the hacking group has significant resources to support its efforts, making a defense in depth strategy essential. On the individual level, blockchain developers should be wary of the job offers used in these scams and run any downloads through a malware scanner before building a repo or executing a program.

Projects can also protect themselves against this threat by deploying multisig wallets and implementing least-privilege access controls to reduce the damage that can be done with a compromised private key. For help in designing and implementing defenses for your DeFi project, reach out to Halborn.