Analysis of the Jimbos Protocol Attack: Was the Project that Brother Maji Invested in Hacked?

Analysis of Jimbos Protocol Attack: Was Brother Maji's Investment Hacked?

On May 28th, 2023, according to the Beosin-Eagle Eye situation awareness platform, the JimboController contract of Jimbos protocol was hacked, and the hacker made about 7.5 million US dollars.

According to the official website, Jimbos Protocol is an experimental protocol deployed on Arbitrum “reactive decentralized liquidity”, and the main token $JIMBO launched by Jimbos Protocol aims to periodically rebalance the liquidity of its protocol under different circumstances to improve capital utilization efficiency.

Huang Licheng, the famous Big Brother Ma Ji, had spent millions of dollars to buy tokens of this project a few days ago. After the attack, the related tokens also plummeted. We don’t know how Big Brother Ma Ji feels now.

Beosin security team analyzed the event for the first time and shared the analysis results as follows.

Event-related information

Attack transaction

0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda (one of them)

Attacker’s address

0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract

0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract

0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack process

There are multiple attack transactions, and we analyze one of them.

1. The attacker first borrowed 10,000 WETH through flash loan.

2. The attacker then used a large amount of WETH to exchange for JIMBO tokens, causing the JIMBO price to soar.

3. Then, the attacker transferred 100 JIMBO tokens to JimboController contract, in order to prepare for adding liquidity later (because when the JIMBO price is high, only a small amount of JIMBO tokens are needed to add liquidity).

4. Then, the attacker called the shift function, which will remove the original liquidity and add new liquidity. When calling the shift function, the funds of the contract will be used to add liquidity, so that all the WETH of the JimboController contract will be used to add liquidity.

5. Since liquidity is added in an imbalanced state (when liquidity is added, it will rely on the current price as a basis for calculating the amount of tokens needed, equivalent to using the contract to take over), the attacker can obtain more WETH, and the attacker finally exchanges JIMBO for WETH to complete the profit.

Vulnerability Analysis

This attack mainly exploits a vulnerability in the JimboController contract, which allows anyone to use the shift function to make the contract perform remove and add liquidity operations, making it a high-level buyer.

Fund Tracing

At the time of writing, the stolen funds have not yet been transferred out by the attacker, and 4048 ETH is still in the attacker’s address:

(https://etherscan.io/address/0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)

Summary

In response to this incident, the Beosin security team suggests: when developing contracts, avoid external manipulation of contracts for investment; before the project goes online, it is recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

2 million transactions, 10 million BTC, 70 billion US dollars, CME announced bitcoin futures trading data

The Chicago Mercantile Exchange (CME) Group claims that it has processed more than 2 million bitcoin futures contract...

Blockchain

Analyst: Bitcoin is picking up steadily and may hit a record high in the coming months

More and more data indicate that the halving of the Bitcoin block reward in May will trigger a significant increase i...

Blockchain

Bitcoin is more concerned than Trump, Kardashian and Tesla

Foreword: Bitcoin's search index represents the level of public interest in it. The search index for the term &q...

Policy

Beware of the Imposter: Hong Kong SFC Warns of Fake MEXC Scam 😱🚨

The Hong Kong SFC has alerted the public to be aware of a fraudulent entity masquerading as the legitimate crypto exc...

Blockchain

Bitcoin vs Gold: Is Bitcoin really a new “safe haven” asset?

Foreword: What is the future role of Bitcoin? Can it be stored as value? Is it only stored as value? There is a lot o...

Bitcoin

Coinbase Becomes Custodian for New Bitcoin ETFs, Marking a Significant Milestone in Crypto Adoption 🚀

Coinbase has formed partnerships with eight out of the eleven approved spot Bitcoin ETFs and is excited to announce t...