Analysis of the Jimbos Protocol Attack: Was the Project that Brother Maji Invested in Hacked?

Analysis of Jimbos Protocol Attack: Was Brother Maji's Investment Hacked?

On May 28th, 2023, according to the Beosin-Eagle Eye situation awareness platform, the JimboController contract of Jimbos protocol was hacked, and the hacker made about 7.5 million US dollars.

According to the official website, Jimbos Protocol is an experimental protocol deployed on Arbitrum “reactive decentralized liquidity”, and the main token $JIMBO launched by Jimbos Protocol aims to periodically rebalance the liquidity of its protocol under different circumstances to improve capital utilization efficiency.

Huang Licheng, the famous Big Brother Ma Ji, had spent millions of dollars to buy tokens of this project a few days ago. After the attack, the related tokens also plummeted. We don’t know how Big Brother Ma Ji feels now.

Beosin security team analyzed the event for the first time and shared the analysis results as follows.

• What is Polyhedra, the cross-chain project that everyone is talking about recently? This article explains in detail the differences between it and L0.
• Here’s a list of 10 noteworthy projects recently invested in by Blockingradigm: Ulvetanna, Code4rena, Conduit…
• Quick look at a16z’s investment landscape for Q1 2023

Event-related information

Attack transaction

0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda (one of them)

Attacker’s address

0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract

0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract

0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack process

There are multiple attack transactions, and we analyze one of them.

1. The attacker first borrowed 10,000 WETH through flash loan.

2. The attacker then used a large amount of WETH to exchange for JIMBO tokens, causing the JIMBO price to soar.

3. Then, the attacker transferred 100 JIMBO tokens to JimboController contract, in order to prepare for adding liquidity later (because when the JIMBO price is high, only a small amount of JIMBO tokens are needed to add liquidity).

4. Then, the attacker called the shift function, which will remove the original liquidity and add new liquidity. When calling the shift function, the funds of the contract will be used to add liquidity, so that all the WETH of the JimboController contract will be used to add liquidity.

5. Since liquidity is added in an imbalanced state (when liquidity is added, it will rely on the current price as a basis for calculating the amount of tokens needed, equivalent to using the contract to take over), the attacker can obtain more WETH, and the attacker finally exchanges JIMBO for WETH to complete the profit.

Vulnerability Analysis

This attack mainly exploits a vulnerability in the JimboController contract, which allows anyone to use the shift function to make the contract perform remove and add liquidity operations, making it a high-level buyer.

Fund Tracing

At the time of writing, the stolen funds have not yet been transferred out by the attacker, and 4048 ETH is still in the attacker’s address:

(https://etherscan.io/address/0x5f3591e2921d5c9291f5b224e909ab978a22ba7e)

Summary

In response to this incident, the Beosin security team suggests: when developing contracts, avoid external manipulation of contracts for investment; before the project goes online, it is recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!