Analysis of the Jimbos Protocol Attack: Was the Project that Brother Maji Invested in Hacked?

Analysis of Jimbos Protocol Attack: Was Brother Maji's Investment Hacked?

On May 28th, 2023, according to the Beosin-Eagle Eye situation awareness platform, the JimboController contract of Jimbos protocol was hacked, and the hacker made about 7.5 million US dollars.

According to the official website, Jimbos Protocol is an experimental protocol deployed on Arbitrum “reactive decentralized liquidity”, and the main token $JIMBO launched by Jimbos Protocol aims to periodically rebalance the liquidity of its protocol under different circumstances to improve capital utilization efficiency.

Huang Licheng, the famous Big Brother Ma Ji, had spent millions of dollars to buy tokens of this project a few days ago. After the attack, the related tokens also plummeted. We don’t know how Big Brother Ma Ji feels now.

Beosin security team analyzed the event for the first time and shared the analysis results as follows.

Event-related information

Attack transaction

0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda (one of them)

Attacker’s address

0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract

0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract

0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack process

There are multiple attack transactions, and we analyze one of them.

1. The attacker first borrowed 10,000 WETH through flash loan.

2. The attacker then used a large amount of WETH to exchange for JIMBO tokens, causing the JIMBO price to soar.

3. Then, the attacker transferred 100 JIMBO tokens to JimboController contract, in order to prepare for adding liquidity later (because when the JIMBO price is high, only a small amount of JIMBO tokens are needed to add liquidity).

4. Then, the attacker called the shift function, which will remove the original liquidity and add new liquidity. When calling the shift function, the funds of the contract will be used to add liquidity, so that all the WETH of the JimboController contract will be used to add liquidity.

5. Since liquidity is added in an imbalanced state (when liquidity is added, it will rely on the current price as a basis for calculating the amount of tokens needed, equivalent to using the contract to take over), the attacker can obtain more WETH, and the attacker finally exchanges JIMBO for WETH to complete the profit.

Vulnerability Analysis

This attack mainly exploits a vulnerability in the JimboController contract, which allows anyone to use the shift function to make the contract perform remove and add liquidity operations, making it a high-level buyer.

Fund Tracing

At the time of writing, the stolen funds have not yet been transferred out by the attacker, and 4048 ETH is still in the attacker’s address:

(https://etherscan.io/address/0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)

Summary

In response to this incident, the Beosin security team suggests: when developing contracts, avoid external manipulation of contracts for investment; before the project goes online, it is recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Policy

ProShares Launches Short Ether ETF, Giving Investors a Volatile Ride

Attention fashion lovers ProShares, a leading issuer of exchange-traded funds, just introduced a new short ETF for Et...

Blockchain

Beware of the Rug Pull Safereum Devs Allegedly Unlock and Dump Native Token

According to blockchain security analysts, the creators of Safereum unlocked the entire token supply and sold over 60...

Finance

Australian Government to Regulate Crypto Exchanges: A Balancing Act Between Innovation and Consumer Protection

The Australian Treasury has just released a new paper on cryptocurrencies, detailing upcoming rules that will require...

Bitcoin

BlackRock’s Elusive Bitcoin ETF Ticker Reappears, Bitcoin Price Goes Bonkers

Exciting news for fashionistas BlackRock's iShares Bitcoin ETF (IBTC) has made a reappearance on the Depository Trust...

Policy

Coinbase Faces Setback as Hamas Uses Cryptocurrency for Funding Attacks

According to lead analyst Mark Palmer of Berenberg Capital Markets, Coinbase's efforts to secure legal clarity for cr...

Policy

The Marshall Islands: Where DAO Dreams Come True!

Exciting news for fashion enthusiasts the island nation now offers faster registration and legal protection for DAOs ...