According to Cointelegraph, the Tapioca Foundation has proposed a $1 million bounty to an attacker who stole $4.7 million from its decentralized finance protocol in what it described as a 'social engineering attack.' The foundation made the offer in an onchain message to the attacker's crypto wallet on October 20, suggesting the attacker could legally keep the bounty if they returned the remaining $3.7 million. The bounty, offered in Tether (USDT), is significantly higher than the typical 10% offered in such cases.

The attack, which occurred on October 18, involved the theft of 591 Ether (ETH) and $2.8 million worth of USD Coin (USDC). The attacker compromised the ownership of the vesting contract for Tapioca DAO Token (TAP) and the UDSO stablecoin, allowing them to claim and sell vested TAP and mint an infinite amount of USDO, draining a liquidity pool for USDO and USDC.

Tapioca co-founder Matt Marino revealed on October 19 that the attack was a result of fellow co-founder 'Rektora' being phished. Rektora had downloaded malicious software during an interview process, which replaced a transaction with a malicious one, granting the attackers access to the contracts. Marino later claimed that the foundation had 'hacked the hacker' and recovered 1,000 ETH, worth over $2.7 million, which was collateral backing the USDO stablecoin for a liquidity pool.

The attacker withdrew nearly 30 million TAP tokens from the vesting contract, swapped them for about $1.5 million worth of ETH, converted that into USDT, and sent the funds to the BNB Chain, where they remain. The attack has caused the TAP token to lose nearly all its value, currently trading at 2 cents, down from around $1.40 prior to the attack, according to CoinGecko.