Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/tapiocadaoprivatekeysocialengineering.php}} {{Unattributed Sources}} Tapioca DAO Logo/HomepageTapiocaDAO is a decentralized organization creating an Omnichain stablecoin ecosystem, featuring components like Singularity, Big Bang, and Pearlnet, which enhance interoperability in DeFi. Its flagship stablecoin, USDO (OmniDollar), is designed to be decentralized..."

2024-10-21T16:57:01Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/tapiocadaoprivatekeysocialengineering.php}} {{Unattributed Sources}} thumb|Tapioca DAO Logo/HomepageTapiocaDAO is a decentralized organization creating an Omnichain stablecoin ecosystem, featuring components like Singularity, Big Bang, and Pearlnet, which enhance interoperability in DeFi. Its flagship stablecoin, USDO (OmniDollar), is designed to be decentralized..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/tapiocadaoprivatekeysocialengineering.php}}
{{Unattributed Sources}}

[[File:Tapiocadao.jpg|thumb|Tapioca DAO Logo/Homepage]]TapiocaDAO is a decentralized organization creating an Omnichain stablecoin ecosystem, featuring components like Singularity, Big Bang, and Pearlnet, which enhance interoperability in DeFi. Its flagship stablecoin, USDO (OmniDollar), is designed to be decentralized, censorship-resistant, and scalable, utilizing innovative mechanisms to ensure liquidity and efficiency across multiple networks. On October 18th, the network suffered from a social engineering attack where malware was installed on one of the primary key-holders through a phishing attack. This enabled the minting of a huge number of stablecoin tokens and a subsequent draining of the emergency fund of Tapioca (TAP) tokens. In a rare event, the team managed to reverse attack the hacker and recover 1000 ETH, which is the vast majority of the stolen funds. The situation is ongoing.<ref name="rektnews-16187" /><ref name="0xteuntwitter-16188" /><ref name="tapiocadaotwitter-16189" /><ref name="arbiscan-16190" /><ref name="arbiscan-16191" /><ref name="arbiscan-16192" /><ref name="arbiscan-16193" /><ref name="zachxbttwitter-16194" /><ref name="officerciatwitter-16195" /><ref name="coingecko-16196" /><ref name="tapioca-16197" /><ref name="tapiocadocs-16198" />

== About TapiocaDAO ==
TapiocaDAO is a decentralized autonomous organization (DAO) represented by a Cayman Islands Foundation, which created a decentralized Omnichain stablecoin ecosystem, comprised of multiple sub-protocols, which includes; Singularity, the first-ever Omnichain isolated money market, Big Bang, an Omnichain CDP Stablecoin Creation Engine, Yieldbox, the most powerful token vault ever created, tOFT (Tapioca Omnichain Wrapper[s]) which transforms any fragmented asset into a unified Omnichain asset, twAML, an economic incentive consensus mechanism, and Pearlnet, the self-sovereign Omnichain verifier network.

Omnichain interoperability focused on unifying DeFi's now trademark fragmented liquidity & UX, enabled through the LayerZero modular generalized messaging network, facilitated the creation of Tapioca's Omnichain CDP stablecoin creation engine, Big Bang, enabling users to mint Tapioca's unstoppable OmniDollar, USDO, with gas token & liquid staking token collateral from multiple networks in a chain agnostic manner. Current stablecoins are little more than store credits due to their lack of native interoperability, whereas USDO through the LayerZero OFT (Omnichain Fungible Token) super-standard can exist on any EVM or non-EVM. Tapioca's isolated money market, Singularity, also powered by LayerZero, empowers users on dozens of EVM & non-EVM networks to lend, borrow, and leverage up yield bearing assets. Pearlnet, a LayerZero Decentralized Verifier Network (DVN), allows the Tapioca ecosystem to achieve Omnichain interoperability & composability while minimizing trust and remaining self sovereign to avoid the costly mistakes of cross-chain protocols of the past.

USDO, or the OmniDollar, is the first over-collateralized, decentralized & censorship resistant Omnichain U.S. Dollar pegged stablecoin, built to conquer the stablecoin trilemma of price stability, censorship resistance, and scalability, as well as to fill the current void of a lack of a truly unstoppable and scalable stablecoin. USDO offers an entirely new paradigm to decentralized stablecoins by only employing decentralized gas tokens & liquid staking derivatives to remain censorship resistant while also being capitally efficient, and utilizes a novel incentive program, DAO Share Options (DSO), to self-perpetuate USDO. twAML or Time Weighted Average Magnitude Lock, is a novel economic incentive consensus mechanism used to power DSO's novel oTAP call option incentive. These call option incentives enable Tapioca to capture protocol owned liquidity (POL), which in turn is utilized by the Tapioca DAO to self propagate USDO's liquidity depth on the open market. This enables USDO to become a scalable & decentralized U.S. Dollar stablecoin.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Tapioca DAO Private Key Social Engineering
!Date
!Event
!Description
|-
|October 18th, 2024 4:09:49 AM MDT
|Infinite USDO Mint Exploit
|The attacker mints a near infinite amount (315,522,735,360,502,617.7346702) of the USDO stablecoin.
|-
|October 18th, 2024 4:56:37 AM MDT
|First Attack Transaction
|The first attack transaction on arbitrum, which transfers 15,000,000 TAP tokens to the attacker.
|-
|October 18th, 2024 4:58:11 AM MDT
|Second Attack Transaction
|The second attack transaction on arbitrum, which transfers 11,773,539.252740904036736306 TAP tokens to the attacker.
|-
|October 18th, 2024 5:07:28 AM MDT
|Third Attack Transaction
|The third attack transaction on arbitrum, which transfers 2,896,327.580071485527554571 TAP tokens to the attacker.
|-
|October 18th, 2024 5:16:00 AM MDT
|0xTuen Tweet
|Twitter user 0xTuen posts to warn about the potential compromise of the platform.
|-
|October 18th, 2024 5:29:00 AM MDT
|officer_cia Tweet
|officer_cia posts about the exploit of the smart contract to seek confirmation.
|-
|October 18th, 2024 6:11:00 AM MDT
|ZachXBT Connections
|ZachXBT makes a post about how the exploit in the TapiocaDAO may be related to some other recent compromises, including Masa, Nahmii, Serenity Shield, Happy365Global, MurAll, Nexera
|-
|October 18th, 2024 11:33:00 AM MDT
|Tapioca DAO Announcement
|Tapioca DAO makes an announcement about the exploit, that they were socially engineered, and about the active ongoing war room which they have set up to deal with the incident.
|}

== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

== Total Amount Lost ==
The total amount lost has been estimated at $4,400,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
"Seems that the following address managed to exploit Emergency Rescue function on one of the Vesting contracts deployed by the Tapioca Deployer."

"He drained 27mln $TAP in two transactions. Sold that in one go resulting in ~591 $ETH

He just drained another 3mln and sold again for 13 $ETH.

All the tokens have been drained from the contract. No more selling pressure."

"Tapioca DAO has suffered a social engineering attack. This enabled the attacker to compromise the TAP token vesting contract’s ownership which allowed the attacker to claim and sell this 30M vested TAP, which impacted the TAP/ETH DAO owned LP. The attacker then also comprised the USDO stablecoin contract’s ownership and added a minter to infinite mint USDO and drain the USDO/USDC LP pair. In total, 591 ETH & 2.8M USDC were stolen.

We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control.

Please be aware of misinformation, scam links, and do not interact with any Tapioca contracts or tokens until further information is provided."

== Ultimate Outcome ==
"We have hacked the hacker! Recovered 1000 ETH which is now safely in the DAO multisig. The 1000 ETH was DAO collateral within Big Bang Origins to mint USDO for USDO/USDC LP."

With this recovery, Tapioca's treasury now stands at $4.2M.

== Total Amount Recovered ==
The total amount recovered has been estimated at $4,200,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
"Some funds have been recovered, though the full extent of the damage remains to be seen, though the full extent of the damage remains to be seen."
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-16187">[https://rekt.news/tapioca-dao-rekt/ Rekt - Tapioca DAO - Rekt] (Accessed Oct 21, 2024)</ref>

<ref name="0xteuntwitter-16188">[https://twitter.com/0xTeun/status/1847235350915145888 @0xTeun Twitter] (Accessed Oct 21, 2024)</ref>

<ref name="tapiocadaotwitter-16189">[https://twitter.com/tapioca_dao/status/1847330264139145361 @tapioca_dao Twitter] (Accessed Oct 21, 2024)</ref>

<ref name="arbiscan-16190">[https://arbiscan.io/tx/0x8cf8def40fa2beab66f46863478bea71ad8f4512003caf2fa639cc5a00550753 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Oct 21, 2024)</ref>

<ref name="arbiscan-16191">[https://arbiscan.io/tx/0x1abb8cf0b0af2ce19a30ce5103d51269d4600d9aeba045260feb588db89d76a4 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Oct 21, 2024)</ref>

<ref name="arbiscan-16192">[https://arbiscan.io/tx/0x174c3deaf563be1bb6d873ba279421e8588acc888ef672bafd5efe7441aae74f Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Oct 21, 2024)</ref>

<ref name="arbiscan-16193">[https://arbiscan.io/tx/0x0bca43cfb5b14ea039f2b329cb6074383d54ed8240963014ccb6400befa5a4e3 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Oct 21, 2024)</ref>

<ref name="zachxbttwitter-16194">[https://twitter.com/zachxbt/status/1847249205720408138 @zachxbt Twitter] (Accessed Oct 21, 2024)</ref>

<ref name="officerciatwitter-16195">[https://twitter.com/officer_cia/status/1847238678931759489 @officer_cia Twitter] (Accessed Oct 21, 2024)</ref>

<ref name="coingecko-16196">[https://www.coingecko.com/en/coins/tapioca-dao-token https://www.coingecko.com/en/coins/tapioca-dao-token] (Accessed Oct 21, 2024)</ref>

<ref name="tapioca-16197">[https://www.tapioca.xyz/ Tapioca - The Omnichain Money Market] (Accessed Oct 21, 2024)</ref>

<ref name="tapiocadocs-16198">[https://docs.tapioca.xyz/tapioca TapiocaDAO | TapiocaDAO] (Accessed Oct 21, 2024)</ref></references>

Tapioca DAO Private Key Social Engineering - Revision history