On May 28, the Arbitrum-based Jimbos Protocol experienced a devastating hack, resulting in the loss of over 4000 Ethereum (ETH), equivalent to approximately $7.5 million. The exploit was carried out using a flash loan technique, catching the protocol off guard and highlighting vulnerabilities within its code.
The breach was initially detected and reported by PeckShield, a prominent blockchain analytics firm. Upon discovering the exploit, PeckShield promptly notified both Jimbos and the community about the security breach. As news of the hack spread, the protocol’s native token experienced a sharp decline of roughly 40%, plummeting from $0.31 to $0.19.
Unfortunately, this incident adds to the growing list of DeFi hacks that have taken place in recent months. Despite being launched less than a month ago, Jimbos aimed to address issues surrounding volatility and liquidity. However, flaws in its code inadvertently created a loophole in liquidity conversions, which the hackers skillfully exploited.
In response to the hack, Jimbos reached out to various on-chain analysts and security experts to seek assistance in resolving the situation. Notably, these experts were instrumental in recovering $200 million for Euler Finance and Sentiment in previous hacking incidents. Cryptogle, one of the experienced investigators involved in recovering the stolen funds for Euler Finance, confirmed the protocol’s efforts and expressed confidence in bringing the hacker to justice.
Euler Finance had suffered a flash loan exploit in March, but the perpetrator returned almost all of the stolen funds in April, likely to avoid legal repercussions after his real identity was allegedly exposed by on-chain investigators. Jimbos is hopeful for a similar outcome and has engaged the services of renowned on-chain analysts like Zachxbt in their pursuit of justice.
If current efforts prove unsuccessful, Jimbos has announced plans to collaborate with law enforcement agencies starting from May 29. The protocol is determined to exhaust all available options to apprehend the hacker and recover the stolen funds.
PeckShield’s investigation into the incident revealed that the attackers capitalized on a loophole in Jimbos’ code, enabling them to execute a flash loan. Insufficient safeguards were in place for liquidity conversions, which facilitated the exploit. Specifically, the vulnerability was rooted in the liquidity investments within a price range that did not require equal values. Exploiting this flaw, the hackers manipulated their orders, executing reverse swaps and absconding with millions of dollars’ worth of Ethereum.
According to PeckShield’s on-chain analysis, the attacker made off with 4,090 ETH from the protocol, successfully bridging it from Arbitrum to Ethereum using Stargate and Celer Network. The total haul amounted to 4,048 ETH.
The Jimbos Protocol now faces a challenging journey to recover from this significant security breach and rebuild trust within the community. Efforts to enhance the protocol’s code and fortify security measures will be crucial in preventing future exploits and maintaining the integrity of the platform.