On 28 May 2023, the Arbitrum-based Jimbos Protocol project fell victim to a Flash Loan Attack. The attack led to a loss of 4,090 Ether (ETH), equivalent to an estimated value of around $7.5 million at that specific time.
Contract Under Attack:
1. The attacker initiated a flash loan, borrowing 10,000 ETH as the initial capital.
2. Subsequently, the attacker exchanged the borrowed ETH for a substantial amount of Jimbo funds through the [ETH-Jimbo] trading pair, causing a surge in the current price of Jimbo.
3. The attacker then transferred 100 JIMBO tokens to the JimboController contract.
4. By invoking the JimboController’s shift() function, the attacker manipulated the liquidity pool by adding and removing liquidity operations.
5. Following the manipulation, the attacker converted the acquired Jimbo tokens back into ETH and repaid the flash loan, thereby exiting the exploit with substantial profits.
The attack leveraged a vulnerability within the JimboController contract. This vulnerability allowed anyone to utilize the shift() function, enabling the execution of arbitrary liquidity addition and removal operations. The shift() function redirected the contract’s funds toward liquidity addition, resulting in the complete allocation of WETH held by the JimboController contract.
Due to the price imbalance between WETH and Jimbo tokens within the pool, the addition of liquidity considered the prevailing prices, allowing the attacker to acquire a larger amount of WETH and maximize their gains.
As a consequence of the hacking incident, the underlying token, Jimbo (JIMBO), faced a substantial decline in its price, plummeting by 40%. This depreciation in value can be directly attributed to the events surrounding the hack.
The official Twitter account of Jimbos Protocol has acknowledged the situation and stated their proactive engagement with various security researchers and on-chain analysts who have previously assisted in addressing exploits like Euler Finance and Sentiment.
They have also emphasized their commitment to resolving the issue and indicated their intention to involve law enforcement agencies if necessary.
Despite continuous efforts to strengthen security measures, the DeFi ecosystem continues to face an ongoing struggle in protecting itself against potential vulnerabilities and unauthorized access.
In light of this, it has become increasingly imperative for DeFi projects to collaborate with security auditors to enhance the security of their platforms. By doing so, it deters hackers from exploiting any vulnerabilities that may exist, thereby mitigating the risk of substantial financial losses.
Should you require an audit to enhance your project’s security, please do not hesitate to contact us.