Flash loan attack on Jimbos Protocol steals over $7.5 million

Jimbos Protocol, an Arbitrum-based DeFi project, has suffered a flash loan attack that resulted in the loss of more than of 4000 ETH tokens, currently valued at over $7,500,000.

The company disclosed the attack on Twitter yesterday, saying that law enforcement have been notified and it is working with security professionals to remediate the situation.

tweet

The attack occurred only three days after the platform launched its V2 protocol, at a moment when many people had just invested in its ‘jimbo’ token, and the perpetrator managed to steal 4,090 in ETH tokens.

The jimbo token has a semi-stable floor price backed by assets, while the platform has implemented mechanisms like taxes and incentives to help maintain a stable value.

Following the hack, though, jimbo’s price collapsed quickly, going from $0.238 to just $0.0001 at the time of writing.

According to blockchain security experts at PeckShield, Jimbos Protocol was the victim of a flash loan attack that leveraged the lack of slippage control on the platform.

Attack steps taken against Jimbos Protocol
Attack steps taken against Jimbos Protocol (PeckShield)

Flash loans are actions where users borrow a large amount of tokens and are expected to pay them back in the same transaction (immediately).

If the attacker exploits a flaw in the DeFi platform or they manipulate the price of the token during that very short period between receiving the amount and paying it back, they can keep the difference at the cost of the lender.

We have seen this unfold multiple times in theoretically well-secured and thoroughly audited lending protocols. A notable recent example is the flash loan attack that hit Euler Finance, resulting in a massive loss of $197 million.

In the case of Jimbos Protocol, the attacker took a $5.9 million flash loan, manipulated the market to skew the price range, traded back the tokens, and escaped with 4,090 ETH.

Slippage control is a measure that restricts token price changes to ensure that their fluctuation stays within an acceptable range from the time of initiating a trade to its completion, in this case, a flash loan.

The stolen cash flow
The stolen cash flow (PeckShield)

Jimbo Protocol had warned investors about the “experimental” nature of Jimbo V1, saying that “the contracts are unaudited and […] any amount of money you put into this protocol can be lost due to unforeseen circumstances at any time.”

However, Jimbo V2 was purportedly designed to rectify slippage and other obvious security issues. As such, it was projected as a more dependable investment opportunity, at least for a brief three-day period.

The incident has placed Jimbos Protocol in a predicament, and the platform has sent an on-chain message to the perpetrators asking them to return 90% of the stolen funds in exchange for the promise not to initiate legal proceedings against them.

Source: www.bleepingcomputer.com