Tapioca DAO Private Key Social Engineering

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:57, 21 October 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/tapiocadaoprivatekeysocialengineering.php}} {{Unattributed Sources}} thumb|Tapioca DAO Logo/HomepageTapiocaDAO is a decentralized organization creating an Omnichain stablecoin ecosystem, featuring components like Singularity, Big Bang, and Pearlnet, which enhance interoperability in DeFi. Its flagship stablecoin, USDO (OmniDollar), is designed to be decentralized...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Tapioca DAO Logo/Homepage

TapiocaDAO is a decentralized organization creating an Omnichain stablecoin ecosystem, featuring components like Singularity, Big Bang, and Pearlnet, which enhance interoperability in DeFi. Its flagship stablecoin, USDO (OmniDollar), is designed to be decentralized, censorship-resistant, and scalable, utilizing innovative mechanisms to ensure liquidity and efficiency across multiple networks. On October 18th, the network suffered from a social engineering attack where malware was installed on one of the primary key-holders through a phishing attack. This enabled the minting of a huge number of stablecoin tokens and a subsequent draining of the emergency fund of Tapioca (TAP) tokens. In a rare event, the team managed to reverse attack the hacker and recover 1000 ETH, which is the vast majority of the stolen funds. The situation is ongoing.[1][2][3][4][5][6][7][8][9][10][11][12]

About TapiocaDAO

TapiocaDAO is a decentralized autonomous organization (DAO) represented by a Cayman Islands Foundation, which created a decentralized Omnichain stablecoin ecosystem, comprised of multiple sub-protocols, which includes; Singularity, the first-ever Omnichain isolated money market, Big Bang, an Omnichain CDP Stablecoin Creation Engine, Yieldbox, the most powerful token vault ever created, tOFT (Tapioca Omnichain Wrapper[s]) which transforms any fragmented asset into a unified Omnichain asset, twAML, an economic incentive consensus mechanism, and Pearlnet, the self-sovereign Omnichain verifier network.

Omnichain interoperability focused on unifying DeFi's now trademark fragmented liquidity & UX, enabled through the LayerZero modular generalized messaging network, facilitated the creation of Tapioca's Omnichain CDP stablecoin creation engine, Big Bang, enabling users to mint Tapioca's unstoppable OmniDollar, USDO, with gas token & liquid staking token collateral from multiple networks in a chain agnostic manner. Current stablecoins are little more than store credits due to their lack of native interoperability, whereas USDO through the LayerZero OFT (Omnichain Fungible Token) super-standard can exist on any EVM or non-EVM. Tapioca's isolated money market, Singularity, also powered by LayerZero, empowers users on dozens of EVM & non-EVM networks to lend, borrow, and leverage up yield bearing assets. Pearlnet, a LayerZero Decentralized Verifier Network (DVN), allows the Tapioca ecosystem to achieve Omnichain interoperability & composability while minimizing trust and remaining self sovereign to avoid the costly mistakes of cross-chain protocols of the past.

USDO, or the OmniDollar, is the first over-collateralized, decentralized & censorship resistant Omnichain U.S. Dollar pegged stablecoin, built to conquer the stablecoin trilemma of price stability, censorship resistance, and scalability, as well as to fill the current void of a lack of a truly unstoppable and scalable stablecoin. USDO offers an entirely new paradigm to decentralized stablecoins by only employing decentralized gas tokens & liquid staking derivatives to remain censorship resistant while also being capitally efficient, and utilizes a novel incentive program, DAO Share Options (DSO), to self-perpetuate USDO. twAML or Time Weighted Average Magnitude Lock, is a novel economic incentive consensus mechanism used to power DSO's novel oTAP call option incentive. These call option incentives enable Tapioca to capture protocol owned liquidity (POL), which in turn is utilized by the Tapioca DAO to self propagate USDO's liquidity depth on the open market. This enables USDO to become a scalable & decentralized U.S. Dollar stablecoin.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Tapioca DAO Private Key Social Engineering
Date Event Description
October 18th, 2024 4:09:49 AM MDT Infinite USDO Mint Exploit The attacker mints a near infinite amount (315,522,735,360,502,617.7346702) of the USDO stablecoin.
October 18th, 2024 4:56:37 AM MDT First Attack Transaction The first attack transaction on arbitrum, which transfers 15,000,000 TAP tokens to the attacker.
October 18th, 2024 4:58:11 AM MDT Second Attack Transaction The second attack transaction on arbitrum, which transfers 11,773,539.252740904036736306 TAP tokens to the attacker.
October 18th, 2024 5:07:28 AM MDT Third Attack Transaction The third attack transaction on arbitrum, which transfers 2,896,327.580071485527554571 TAP tokens to the attacker.
October 18th, 2024 5:16:00 AM MDT 0xTuen Tweet Twitter user 0xTuen posts to warn about the potential compromise of the platform.
October 18th, 2024 5:29:00 AM MDT officer_cia Tweet officer_cia posts about the exploit of the smart contract to seek confirmation.
October 18th, 2024 6:11:00 AM MDT ZachXBT Connections ZachXBT makes a post about how the exploit in the TapiocaDAO may be related to some other recent compromises, including Masa, Nahmii, Serenity Shield, Happy365Global, MurAll, Nexera
October 18th, 2024 11:33:00 AM MDT Tapioca DAO Announcement Tapioca DAO makes an announcement about the exploit, that they were socially engineered, and about the active ongoing war room which they have set up to deal with the incident.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $4,400,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Seems that the following address managed to exploit Emergency Rescue function on one of the Vesting contracts deployed by the Tapioca Deployer."

"He drained 27mln $TAP in two transactions. Sold that in one go resulting in ~591 $ETH

He just drained another 3mln and sold again for 13 $ETH.

All the tokens have been drained from the contract. No more selling pressure."

"Tapioca DAO has suffered a social engineering attack. This enabled the attacker to compromise the TAP token vesting contract’s ownership which allowed the attacker to claim and sell this 30M vested TAP, which impacted the TAP/ETH DAO owned LP. The attacker then also comprised the USDO stablecoin contract’s ownership and added a minter to infinite mint USDO and drain the USDO/USDC LP pair. In total, 591 ETH & 2.8M USDC were stolen.

We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control.

Please be aware of misinformation, scam links, and do not interact with any Tapioca contracts or tokens until further information is provided."

Ultimate Outcome

"We have hacked the hacker! Recovered 1000 ETH which is now safely in the DAO multisig. The 1000 ETH was DAO collateral within Big Bang Origins to mint USDO for USDO/USDC LP."

With this recovery, Tapioca's treasury now stands at $4.2M.

Total Amount Recovered

The total amount recovered has been estimated at $4,200,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"Some funds have been recovered, though the full extent of the damage remains to be seen, though the full extent of the damage remains to be seen."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Tapioca DAO - Rekt (Accessed Oct 21, 2024)
  2. @0xTeun Twitter (Accessed Oct 21, 2024)
  3. @tapioca_dao Twitter (Accessed Oct 21, 2024)
  4. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Oct 21, 2024)
  5. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Oct 21, 2024)
  6. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Oct 21, 2024)
  7. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Oct 21, 2024)
  8. @zachxbt Twitter (Accessed Oct 21, 2024)
  9. @officer_cia Twitter (Accessed Oct 21, 2024)
  10. https://www.coingecko.com/en/coins/tapioca-dao-token (Accessed Oct 21, 2024)
  11. Tapioca - The Omnichain Money Market (Accessed Oct 21, 2024)
  12. TapiocaDAO | TapiocaDAO (Accessed Oct 21, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Tapioca_DAO_Private_Key_Social_Engineering&oldid=6239"