Decoding Jimbo’s Protocol $7.5M Exploit | QuillAudits

--

Summary:

On May 28, 2023, the Jimbo’s Protocol on the Arbitrum chain was hacked. The hackers were able to exploit a vulnerability in the protocol’s slippage control mechanism, which allowed them to steal around $7.5 million worth of ETH.

About Project:

Jimbos Protocol is a decentralized finance (DeFi) protocol that aims to provide a semi-stable floor price for its JIMBO token. The protocol does this by accumulating Ether in its treasury and using it to defend the token’s price.

$JIMBO token is a Self Market-Making Liquidity Bin Token bind with traderjoe.

To learn more about the Project, check out the official documentation.

Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address: 0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attacker Address 2 (in ETH): 0x5F3591e2921D5c9291F5b224E909aB978A22Ba7E

Attacker Contract: 0xd4002233b59f7edd726fc6f14303980841306973

JimboController Contract: 0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack Transactions: 0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda

The Root Cause:

The root cause of the exploit was a vulnerability in the protocol’s slippage control mechanism. Slippage control is a mechanism that prevents large trades from causing significant price fluctuations. In the case of the Jimbo protocol, the lack of slippage control in the shift() function of the JimboController contract allowed the hacker to exploit the vulnerability.

Attack Process:

The attacker borrowed around 10,000 ETH from AAVE, a decentralized lending protocol. They then added some JIMBO tokens at much higher prices than the current market price. These bins are essentially ticks that indicate the price at which the token is traded.

The attacker exchanged the borrowed ETH for a significant amount of Jimbo tokens, using the [ETH-JIMBO] trading pair. This caused the price of JIMBO to spike up to a very high bin. The attacker transferred 100 JIMBO tokens to the JimboController contract.

Then, the exploiter manipulated the token balance in the liquidity pool by calling the shift function of the JimboController contract.

Following the price increase, when the rebalance was triggered, 10% of ETH was moved to bins below the active price, which was very high. The attacker then sold JIMBO tokens to deplete the anchor bins and bring the price back down.

A rebalance was triggered again, moving 10% of ETH into bins below the current, much lower, active price. This process is then repeated multiple times, allowing JIMBO to be bought at a cheaper price each time.

The attacker then swapped the acquired Jimbo tokens for ETH. After repaying the flash loan, the attacker made a profit of approximately 7.5 million.

Flow of Funds:

Immediately after the exploit, The attacker bridged the funds from Arbitrum Chain to Ehereuem chain.

At the time of writing, the attacker’s address (0x5F359). holds all of the funds stolen in the exploit. For more information, please see here.

Incident Timelines

28–05–2023- The Project acknowledged the incident and announced it through their Twitter.

28–05–2023- The Project sent an on-chain message to the Hacker, requesting the return of 90% of the funds in exchange for stopping all investigation.

Price Impact

The price of the token dropped by 40% immediately following the attack. See here.

How they could have prevented the Exploit?

This exploit was due to protocol-specific price manipulation vulnerability . So, In this case, Implementing a floor token could have prevented this hack.

FLOOR uses a completely different approach to repricing and rebalancing compared to the exploited protocol. Additionally, FLOOR does not have any liquidity gaps. The Floor contracts provide an example of the correct way to implement sophisticated token mechanics, such as transfer tax and rising RFV on the Liquidity Book. More details can be found here.

Reproducing the hack:

We will be using the Foundry framework for POC.

(Add the Ethereum Arbitrum RPC URL in foundry.toml file and run the test using the command forge test -vvv)

The exploit PoC link can be found here.

Conclusion.

The Jimbo’s Protocol hack is a reminder that even well-designed DeFi protocols are not immune to attack. The Jimbo’s Protocol hack also highlights the importance of security audits. A security audit can help to identify vulnerabilities in a protocol before they can be exploited by hackers.

The Jimbo’s Protocol hack is a setback for the DeFi community, but it is important to remember that DeFi is still a young and rapidly evolving industry. As the DeFi ecosystem matures, security measures will improve and the risk of hacks will decrease.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

--

--

QuillAudits - Web3 Security 🛡️

6+ Years Securing #Web3: 1M+ Lines Audited. Trusted by 1K+ Clients including StarkWare, Taiko, ZetaChain & Metis. Next-gen audits, KYC & on-chain monitoring.