Analysis of the Jimbos Protocol Attack: Was the Project that Brother Maji Invested in Hacked?

Analysis of Jimbos Protocol Attack: Was Brother Maji's Investment Hacked?

On May 28th, 2023, according to the Beosin-Eagle Eye situation awareness platform, the JimboController contract of Jimbos protocol was hacked, and the hacker made about 7.5 million US dollars.

According to the official website, Jimbos Protocol is an experimental protocol deployed on Arbitrum “reactive decentralized liquidity”, and the main token $JIMBO launched by Jimbos Protocol aims to periodically rebalance the liquidity of its protocol under different circumstances to improve capital utilization efficiency.

Huang Licheng, the famous Big Brother Ma Ji, had spent millions of dollars to buy tokens of this project a few days ago. After the attack, the related tokens also plummeted. We don’t know how Big Brother Ma Ji feels now.

Beosin security team analyzed the event for the first time and shared the analysis results as follows.

Event-related information

Attack transaction

0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda (one of them)

Attacker’s address

0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract

0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract

0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack process

There are multiple attack transactions, and we analyze one of them.

1. The attacker first borrowed 10,000 WETH through flash loan.

2. The attacker then used a large amount of WETH to exchange for JIMBO tokens, causing the JIMBO price to soar.

3. Then, the attacker transferred 100 JIMBO tokens to JimboController contract, in order to prepare for adding liquidity later (because when the JIMBO price is high, only a small amount of JIMBO tokens are needed to add liquidity).

4. Then, the attacker called the shift function, which will remove the original liquidity and add new liquidity. When calling the shift function, the funds of the contract will be used to add liquidity, so that all the WETH of the JimboController contract will be used to add liquidity.

5. Since liquidity is added in an imbalanced state (when liquidity is added, it will rely on the current price as a basis for calculating the amount of tokens needed, equivalent to using the contract to take over), the attacker can obtain more WETH, and the attacker finally exchanges JIMBO for WETH to complete the profit.

Vulnerability Analysis

This attack mainly exploits a vulnerability in the JimboController contract, which allows anyone to use the shift function to make the contract perform remove and add liquidity operations, making it a high-level buyer.

Fund Tracing

At the time of writing, the stolen funds have not yet been transferred out by the attacker, and 4048 ETH is still in the attacker’s address:

(https://etherscan.io/address/0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)

Summary

In response to this incident, the Beosin security team suggests: when developing contracts, avoid external manipulation of contracts for investment; before the project goes online, it is recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Market

Bitcoin Futures Reach All-Time High as Bullish Momentum Grows

Record Number of Investors Show Interest in Bitcoin Futures, But Where Does That Leave Us?

Market

Bye Bye Uptober Bitcoin Price Data Shows Investor Sentiment Hitting a 3-Month Low

October usually marks a positive trend for Bitcoin's price, but recent data indicates that investor confidence is cur...

Blockchain

Solana Foundation Joins Forces with Dubai Multi Commodities Centre: A Match Made in Blockchain Heaven

Fashionista, take note of DMCC's impressive lineup of ecosystem partners, such as cryptocurrency exchange ByBit, digi...

Opinion

Get Ready for the Crypto Christmas Run!

Fashion guru, are you ready to jump on the Bitcoin train? Experts like Robert Kiyosaki and Michael Saylor have foreca...

Bitcoin

Bitcoin Boom Sparks Exodus of Assets from Crypto Exchanges

The surge in prices caused $400 million in short positions to be liquidated.

Bitcoin

Bitcoin Mining with Landfill Gas: Turning Trash into Treasure

Marathon Digital utilizes methane from a Utah landfill to power a mini mining facility in a new groundbreaking endeavor.