- The exploiter took advantage of the absence of slippage control on liquidity exchanges
- Liquidity was invested in uneven price range, loophole where swap orders could be reversed
Jimbos, a protocol in the Arbitrum Network, was hacked yesterday morning according to blockchain security firm PeckShield, Cointelegraph reported. The exploiter made away with 4,000 ether, which was roughly equivalent to $7.5 million at the time of the attack.
The exploiter took advantage of the absence of slippage control on liquidity exchanges. Jimbos’ liquidity is invested in an uneven price range, generating a loophole where swap orders can be reversed for cybercriminals’ gain.
The attacker took out a flash loan of $5.9 million, manipulated JIMBO token prices, and made away with community funds.
Protocol had a logical weakness
Jimbos was launched less than three weeks ago and aimed to address token volatility and liquidity issues through a new approach. Its creators were going to issue a semi-stable cryptocurrency backed by a collection of tokens.
The mechanism emerged to be inadequate, leading to a logical weakness, which made it vulnerable to attacks.
According to PeckShield data, the exploiters stole 4,090 ETH from the Arbitrum Network. Then, they used the Celer Network and the Stargate bridge to transfer around 4,048 ETH from the Ethereum Mainnet.
Jimbos is working with security experts to get the money back. If the exploiter doesn’t return it voluntarily, they will contact law enforcement by 4 PM UTC today.
Arbitrum seems particularly vulnerable
Hacks of DeFi protocols are not a new phenomenon by any means. The DeFi space continues to be plagued by numerous attacks. On May 19 Swaprum, a decentralized exchange also based on the blockchain Arbitrum, disappeared with user deposits worth $3 million aftera rug pull. The SWAP token’s value plummeted to zero thereafter.
The DeFi space struggles to protect its users from vulnerabilities and unauthorized access. Recently, the 0VIX protocol also fell victim to a flash loan attack, which led to a loss of nearly $2 million.
Tornado Cash was attacked earlier
An unidentified attacker or group took over the DAO handling the funds, operations, and projects of privacy mixer Tornado Cash, as Bankless Times reported on May 20.
The exploiter injected malicious code, hiding a key function and granting him fake votes, which he could use to withdraw locked Tornado Cash (TORN) tokens in the main governance contract.The attacker later proposed to reverse the malicious changes.