The attacker used the lack of slippage control over tokens to steal the funds.
Adding to the growing number of decentralized finance (DeFi) protocol hacks in the crypto industry, Jimbos Protocol is the latest to suffer an attack resulting in a significant loss of funds.
According to blockchain security firm PeckShield, Jimbos Protocol — the liquidity protocol of the Arbitrum system — was hacked on the morning of May 28. The attack resulted in the loss of 4,000 Ether ETH $1,844, worth approximately $7.5 million at the time.
Specifically, the attacker took advantage of the lack of slippage control on liquidity conversions. The protocol’s liquidity is invested in a price range that doesn’t need to be equal, creating a loophole where attackers can reverse swap orders for their own gain.
Although launched less than 20 days ago, Jimbos Protocol aimed to address liquidity and volatile token prices through a new testing approach. However, the protocol’s mechanism was not adequately developed, leading to a logical vulnerability creating favorable conditions for attackers. As a consequence, the price of the underlying token, Jimbo (JIMBO), has plummeted by 40%.
According to PeckShield’s findings, the attackers extracted 4,090 ETH from the Arbitrum network. Subsequently, they utilized the Stargate bridge and the Celer Network to transfer approximately 4,048 ETH from the Ethereum network.
Hacking incidents in DeFi protocols is not a novel phenomenon. While reports indicate a significant decline in the number of attacks compared with previous years, the community continues to be exposed to numerous exploits.
Despite efforts to enhance security measures, the DeFi ecosystem grapples with the persistent challenge of safeguarding against potential vulnerabilities and unauthorized access. An example is the recent flash loan attack on the 0VIX protocol, resulting in a substantial loss of nearly $2 million.
Another recent noteworthy occurrence involved the hijacking of Tornado Cash, a prominent privacy-focused protocol. Unknown attackers successfully compromised the system and extracted significant quantities of Tornado Cash (TORN) tokens, leading to substantial financial losses.