On 28 May 2023, the Arbitrum-based Jimbos Protocol project fell victim to a Flash Loan Attack. The attack led to a loss of 4,090 Ether (ETH), equivalent to an estimated value of around $7.5 million at that specific time.
Incident Analysis
Attacker’s Address:
0x102be4bccc2696c35fd5f5bfe54c1dfba416a741
Attack Contract:
0xd4002233b59f7edd726fc6f14303980841306973
Contract Under Attack:
0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7
Attack Transaction:
0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda
Attack Process
1. The attacker initiated a flash loan, borrowing 10,000 ETH as the initial capital.
2. Subsequently, the attacker exchanged the borrowed ETH for a substantial amount of Jimbo funds through the [ETH-Jimbo] trading pair, causing a surge in the current price of Jimbo.
3. The attacker then transferred 100 JIMBO tokens to the JimboController contract.
4. By invoking the JimboController’s shift() function, the attacker manipulated the liquidity pool by adding and removing liquidity operations.
5. Following the manipulation, the attacker converted the acquired Jimbo tokens back into ETH and repaid the flash loan, thereby exiting the exploit with substantial profits.
Vulnerability Analysis
The attack leveraged a vulnerability within the JimboController contract. This vulnerability allowed anyone to utilize the shift() function, enabling the execution of arbitrary liquidity addition and removal operations. The shift() function redirected the contract’s funds toward liquidity addition, resulting in the complete allocation of WETH held by the JimboController contract.
Due to the price imbalance between WETH and Jimbo tokens within the pool, the addition of liquidity considered the prevailing prices, allowing the attacker to acquire a larger amount of WETH and maximize their gains.
Subsequent Updates
As a consequence of the hacking incident, the underlying token, Jimbo (JIMBO), faced a substantial decline in its price, plummeting by 40%. This depreciation in value can be directly attributed to the events surrounding the hack.
The official Twitter account of Jimbos Protocol has acknowledged the situation and stated their proactive engagement with various security researchers and on-chain analysts who have previously assisted in addressing exploits like Euler Finance and Sentiment.
They have also emphasized their commitment to resolving the issue and indicated their intention to involve law enforcement agencies if necessary.
Final Thoughts
Despite continuous efforts to strengthen security measures, the DeFi ecosystem continues to face an ongoing struggle in protecting itself against potential vulnerabilities and unauthorized access.
In light of this, it has become increasingly imperative for DeFi projects to collaborate with security auditors to enhance the security of their platforms. By doing so, it deters hackers from exploiting any vulnerabilities that may exist, thereby mitigating the risk of substantial financial losses.
Should you require an audit to enhance your project’s security, please do not hesitate to contact us.
