Jimbos Protocol, an Arbitrum-based liquidity protocol suffered an exploit resulting in a significant loss of 4,000 Ethereum (ETH), approximately worth $7.5 million, on May 27. Following the hack, developers behind the protocol have started taking active measures, working with multiple security researchers and on-chain analysts to move forward.
Decentralized Finance (DeFi) protocols are no stranger to hacking incidents. Despite a reported decrease in the frequency of such attacks compared to previous years, the community continues to be vulnerable to various exploits. With insights from Chainalysis, a blockchain data platform, it is estimated that about $3.8 billion was stolen in crypto hacks. Most of the hacks took place in DeFi protocols. As per reports by TRM labs on May 21, 2023,
“The average hack size also took a hit in Q1 2023 – to USD 10.5 million from nearly USD 30 million in the same quarter of 2022, even as the number of incidents was similar (around 40).”
Another Attack On DeFi
On May 28, blockchain security firm, PeckShield took to Twitter to reveal Jimbos suffered a security breach that resulted in the loss just three days after its version 2 was launched. The hacker reportedly exploited a loophole in the lack of slippage control on liquidity conversions in the Jimbos Protocol system, providing an opportunity to manipulate swap orders for personal profit.
It appears today's @jimbosprotocol hack leads to the 4090 ETH loss (w/ ~$7.5M).
This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in… https://t.co/wnQAeksojz pic.twitter.com/TPlqNlvnZD
— PeckShield Inc. (@peckshield) May 28, 2023
The security firm further reported the exploiter made use of a $5.9 million flash loan and manipulate the prices of its native token JIMBO, to carry out the attack. For the unversed, slippage refers to the difference between the expected price of a transaction and the price at which it is executed. This variation may arise when market orders are utilized during high volatility, leading to significant price fluctuations. Peckshield wrote,
“This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in a reverse swap for profit.”
Plans For Revival
We are already working with multiple security researchers and on-chain analysts who helped with both the Euler Finance and Sentiment exploits.
We will start working with law enforcement agencies tomorrow by 4PM UTC if this isn’t sorted out by then.
— Jimbos Protocol (v2, soon) (@jimbosprotocol) May 28, 2023
Following the attack, Jimbos developers announced on Twitter, they have already started working with multiple security researchers and on-chain analysts to investigate the incident, identify the vulnerabilities, and implement necessary security measures to prevent similar attacks in the future. In addition, the team also seems to be collaborating with law enforcement agencies to probe into the incident.