Jimbos Protocol Hack - May 2023
Incident Overview
On May 28, 2023, the Arbitrum-based Jimbos protocol fell victim to a Flash Loan Attack that resulted in the loss of 4,090 Ether (ETH), equivalent to approximately $7.5 million. The attack occurred 20 days after the protocol's launch.
Technical Vulnerability
The security analysts blamed the lack of slippage control in the main contract, which allowed attackers to take out a $5.9 million flash loan, manipulate the prices of JIMBO tokens, and walk out with treasury funds.
Attack Mechanism
The attack followed these steps:
1. The attacker initiated a flash loan, borrowing 10,000 ETH as initial capital
2. The attacker exchanged the borrowed ETH for a substantial amount of Jimbo tokens through the [ETH-Jimbo] trading pair, causing a surge in the current price of Jimbo
3. The attacker manipulated the liquidity pool by invoking the JimboController's shift() function with adding and removing liquidity operations
4. Following the manipulation, the attacker converted the acquired Jimbo tokens back into ETH and repaid the flash loan, exiting with substantial profits
Fund Movement
According to PeckShield's findings, the attackers extracted 4,090 ETH from the Arbitrum network and subsequently utilized the Stargate bridge and the Celer Network to transfer approximately 4,048 ETH to the Ethereum network.
Aftermath
The lack of adequate slippage controls allowed the attacker to steal $7.5 million from the 20-day-old protocol, causing its token value to drop by 40%. Jimbos said it was working with security researchers to reclaim lost funds and indicated they would contact law enforcement if the attacker failed to return the money.
Sources