The Arbitrum-based Jimbos Protocol fell victim to a sophisticated hack on the morning of May 28, resulting in the loss of 4.090 ETH, which was valued at approximately $7.5 million at the time.
According to blockchain security firm Peckshield, the attacker exploited the lack of slippage control over tokens. This vulnerability arises from the protocol’s investment of liquidity in a price range that doesn’t need to be equal, allowing attackers to manipulate the price range, resulting in the misuse of the protocol’s liquidity for personal gain.
It appears today's @jimbosprotocol hack leads to the 4090 ETH loss (w/ ~$7.5M).
This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in… https://t.co/wnQAeksojz pic.twitter.com/TPlqNlvnZD
— PeckShield Inc. (@peckshield) May 28, 2023
After successfully stealing approximately 4,090 ETH from the Arbitrum network, the attackers used the Stargate bridge and the Celer Network to transfer and collect the funds from the Ethereum network.
Jimbos is a liquidity protocol built on Arbitrum, which allows efficient cryptocurrency exchanges, particularly for Ethereum (ETH) and its tokens. As decentralized finance (DeFi) platforms continue to gain popularity, protocols like Jimbos attract users who want to trade cryptocurrencies and contribute liquidity to the market.
As the protocol launched only 20 days ago, its mechanism is not robust enough to withstand such an attack. The incident led to a 40 percent drop in the value of its native token, Jimbo (JIMBO), from $0.31 to $0.19.
#PeckShieldAlert $JIMBO has dropped -40%https://t.co/fXZPG27zdM pic.twitter.com/zMPs75jUtK
— PeckShieldAlert (@PeckShieldAlert) May 28, 2023
Response from Jimbos team
The team behind Jimbos has acknowledged the exploitation of its protocol. They announced that they were working with “multiple security researchers and on-chain analysts” who have previously worked with exploits on other platforms such as Euler Finance and Sentiment.
“We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals,” the team said on Twitter.
We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals.
We will release further information when possible.
— Jimbos Protocol (v2, soon) (@jimbosprotocol) May 28, 2023
Cryptogle, an on-chain investigator who helped recover $200 million for Euler Finance, has verified the protocol’s update and emphasized that the hacker is about to face severe consequences.
In March, Euler Finance suffered a flash loan exploit. After on-chain investigators discovered the hacker’s real identity, the attacker returned the majority of the stolen funds in April to avoid legal repercussions.
Jimbos is now seeking a similar resolution and has reached out to renowned on-chain analysts for assistance.
“We will start working with law enforcement agencies tomorrow by 4 PM UTC if this isn’t sorted out by then,” the team said.
Repeating incidents in the industry
Although there has been a 70 percent decrease in the number of attacks toward DeFi protocols in Q1 2023 compared to previous years, the community still faces various exploits.
Ari Redbord, the head of legal and government affairs at TRM Labs, explained that vulnerabilities persist in certain areas of the crypto industry. For example, exploits targeting bridges and protocols continue to occur at an “unprecedented” pace and magnitude.
A recent example is the flash loan attack on the 0VIX protocol, which led to a loss of approximately $2 million. Last week, the privacy-focused protocol Tornado Cash suffered a similar blockchain exploit. Unknown attackers breached the system and obtained 6,000 Tornado Cash (TORN) tokens, swapping them for Ethereum tokens. As a result, the native token’s value plummeted by 35 percent.
