Crypto stolen – Just days following the release of its upgraded decentralized finance (DeFi) application, Jimbos Protocol encountered a breach over the weekend. Attackers managed to pilfer 4,090 ETH tokens, equivalent to approximately $7.5 million. This incident comes as a setback to the developers who had aimed to enhance the stability and security of their platform.
The assailants leveraged a flash loan attack, exploiting vulnerabilities within the Arbitrum-based app. The Jimbos Protocol team is now in a race against time to identify the culprits and recover the stolen funds. Initially, the company offered to let the attackers retain 10 percent of the stolen amount if the remaining 90 percent was returned. However, receiving no response, they are now seeking assistance from law enforcement agencies to apprehend the hackers and reclaim the lost assets.
Taking to Twitter, the Jimbos Protocol developers expressed their gratitude for the collaboration with security experts, bridges, and exchanges. With their assistance, promising leads have been identified, including one in particular. The developers hope that the attacker will cooperate voluntarily before being left with no other choice once their information is disclosed.
This attack occurred merely three days after the launch of Jimbos Protocol’s second version (V2) of the software. The protocol, introduced about a month ago, aimed to tackle issues surrounding volatility and liquidity by incorporating a semi-stable floor price.
Susceptible to a flash loan scheme
Blockchain analytics firm PeckShield has shed light on the recent hack of Jimbos Protocol, attributing it to the protocol’s inadequate management of slippage control during liquidity-shifting operations. The exploit involved manipulating the skewed price range within the protocol’s liquidity pool through a reverse swap.
The attacker capitalized on a flash loan, a borrowing mechanism where a significant amount of digital currency, like Ethereum, is borrowed and promptly repaid. The scheme involved leveraging the loan to purchase a substantial quantity of alternative tokens, driving up their prices. By skillfully manipulating the smart contracts governing the app’s liquidity pool, the attacker successfully converted the amassed tokens back into Ethereum, repaid the loan, and reaped substantial profits.
The V2 software of Jimbos Protocol appears to have neglected implementing effective measures to mitigate slippage, which denotes the variance between anticipated and actual prices in the DeFi ecosystem. Such controls are vital in curbing excessive price volatility and averting vulnerable situations resulting from flash loans triggering price spikes.
According to analysts from Numen Cyber Labs, the attacker swiftly exchanged the borrowed Ethereum for a significant amount of Jimbo tokens using the ETH-Jimbo trading pair, causing a surge in Jimbo’s current price. Subsequently, the attacker manipulated the liquidity pool by exploiting vulnerabilities within the JimboController contract. Finally, the obtained Jimbo tokens were converted back into Ethereum, the flash loan was repaid, and substantial profits were retained by the malicious actors.
Appealing for support
Following the initial acknowledgment of the breach, the developers of Jimbos Protocol announced their collaboration with analysts who have previously assisted victims of similar attacks. Notable examples include Euler Finance and Sentiment, both prominent DeFi platforms, which managed to recoup a portion of their lost funds.
On May 29, the company addressed the attackers directly, offering them a proposition: return 90% of the stolen funds and retain a swift payday of $800k, avoiding further pursuit. However, a stern warning accompanied the proposal, stating that if the attackers refuse to comply, relentless pursuit will continue until they are apprehended and brought to justice.
Analysts from Cyber Numan Labs observed that despite ongoing efforts to bolster security measures, the DeFi ecosystem remains susceptible to potential vulnerabilities and unauthorized access.
In light of this, it is imperative for DeFi projects to forge close partnerships with security auditors to fortify their platforms, dissuade malicious actors, and minimize the likelihood of financial losses resulting from attacks, which can be substantial.
<Crypto – The new Crypto “BEASTS” is ready to accept Apecoin>
Crypto – Exposed DeFi platforms
The DeFi sector continues to witness a surge in attacks, as evidenced by the recent flash loan attack on Euler Finance, resulting in a loss of nearly $200 million in March. Fortunately, the perpetrator returned most of the stolen funds. Similarly, Sentiment experienced an attack in April, leading to a loss of around $1 million, with the attacker also returning the majority of the funds within a few days.
Jimbos Protocol had hoped for a comparable outcome following its recent breach but has yet to see the same resolution.
The escalating frequency of these attacks on DeFi platforms comes as no surprise to Karl Steinkamp, Director of Delivery Transformation and Automation at cybersecurity consultancy Coalfire. Steinkamp points out that CoinMarketCap lists over 25,000 crypto assets, with the majority built on the Ethereum blockchain.
“The targeting of DeFi entities has skyrocketed alongside the expanding token market,” Steinkamp informed The Register. “While the rapid pace of innovation benefits these digital assets, it is essential that the necessary due diligence and security measures are consistently implemented to safeguard platforms and assets against malicious attackers.”
Regarding Jimbos Protocol’s vulnerability stemming from a code flaw in its liquidity management, Steinkamp emphasized that “if the asset owners had performed fundamental security measures and hardening processes prior to releasing the asset into the production environment, this basic function should never have been exploitable.”