The Tapioca Foundation has offered a $1 million bounty to an attacker who stole $4.7 million from its decentralized finance protocol in what it has called a “social engineering attack.”

“We would like to offer you an attractive bounty settlement where you would walk away with funds that are fully legally yours, no strings attached,” Tapioca wrote in an Oct. 20 onchain message to the attacker’s crypto wallet.

It offered $1 million in Tether (USDT) — which it said was “significantly higher than the normal 10%” offered in bounties — in exchange for the attacker returning the remaining $3.7 million.

In an Oct. 18 X post, Tapioca said it “suffered a social engineering attack” where the attacker stole 591 Ether (ETH) and $2.8 million worth of USD Coin (USDC).

It explained the attack compromised the ownership of the vesting contract for its Tapioca DAO Token (TAP) and the UDSO stablecoin.

The attacker was able to claim and sell vested TAP and “added a minter to infinite mint USDO and drain” a liquidity pool for USDO and USDC.

Tapioca co-founder Matt Marino said in an Oct. 19 message on the project’s Discord that fellow pseudonymous co-founder “Rektora” was phished.

He added Rektora “downloaded something during an interview process,” and the software replaced a transaction with a malicious one, which is how the attackers gained access to the contracts.

In a later Discord post on Oct. 19, Marino claimed it had “hacked the hacker” and recovered 1,000 ETH, currently worth over $2.7 million, which was collateral backing the USDO stablecoin for a liquidity pool.

Related: Radiant Capital hacker compromised developers’ devices — post-mortem

In the Oct. 18 attack, the attacker withdrew nearly 30 million TAP tokens from the vesting contract, swapped them for about $1.5 million worth of ETH, converted that into USDT and sent the funds to the BNB Chain, where they still remain, transactions in the attacker’s wallet show.

The attack has seen the TAP token effectively lose all its value. It’s currently trading at 2 cents, down from the around $1.40 it was trading at prior to the attack, according to CoinGecko.