Tapioca DAO: Social engineering → private key compromise → vesting contract ownership takeover + stablecoin infinite mint → TAP dump + USDO/USDC LP drain
Tapioca DAO lost $4.4M when a social engineering attack — likely via malware-laced fake job offer — compromised the private key controlling the vesting and stablecoin contracts, enabling a TAP dump, quintillion-USDO mint, and LP drain before the team counter-hacked to recover 1,000 ETH.
Summary #
Tapioca DAO suffered a Yield / DAO / Omnichain Protocol (token vesting + CDP stablecoin) on 2024-10-18, resulting in a loss of approximately $4M.
What happened #
Tapioca DAO lost $4.4M when a social engineering attack — likely via malware-laced fake job offer — compromised the private key controlling the vesting and stablecoin contracts, enabling a TAP dump, quintillion-USDO mint, and LP drain before the team counter-hacked to recover 1,000 ETH.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Emergency Rescue function called by compromised owner key; stablecoin minter role added; ownership transferred on both vesting and stabl...]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Emergency Rescue function called by compromised owner key; stablecoin minter role added; ownership transferred on both vesting and stabl...]