The attacker stole the money by taking advantage of the tokens’ lack of slippage control.
Jimbos Protocol is the newest protocol to be attacked, resulting in a substantial loss of assets, adding to the rising number of decentralized finance (DeFi) protocol hacks in the cryptocurrency market.
Jimbos Protocol, the liquidity protocol of the Arbitrum system, was hacked on the morning of May 28, according to blockchain security company PeckShield. The attack resulted in the loss of 4,000 Ether, valued at around $7.5 million at the time.
The attacker specifically profited from the lack of slippage control on liquidity conversions. Due to the fact that the price range in which the protocol’s liquidity is invested does not have to be equal, there is a vulnerability that allows for the reversal of swap orders by attackers for their own benefit.
Although founded less than 20 days ago, Jimbos Protocol was designed to address liquidity and erratic token prices with a unique testing approach. However, the mechanism of the protocol was not sufficiently developed, resulting in a logical vulnerability that favored attackers. Jimbo (JIMBO), the underlying cryptocurrency, has seen a 40% decline in price as a result.
— PeckShield Inc. (@peckshield) May 28, 2023
According to PeckShield’s results, the attackers pulled 4,090 ETH from the Arbitrum network. Subsequently, they leveraged the Stargate bridge and the Celer Network to transfer roughly 4,048 ETH from the Ethereum network.
— PeckShieldAlert (@PeckShieldAlert) May 28, 2023
Hacking events involving DeFi protocols are not a new issue. While studies indicate a dramatic drop in the number of assaults compared with prior years, the community continues to be susceptible to countless exploits.
Despite efforts to increase security measures, the DeFi ecosystem struggles with the continuous challenge of safeguarding against potential vulnerabilities and illegal access. A recent flash loan attack on the 0VIX protocol is one illustration, which caused a significant loss of around $2 million.
Another recent noteworthy instance included the theft of Tornado Cash, a major privacy-focused protocol. Unknown attackers effectively entered the system and extracted considerable quantities of Tornado Cash (TORN) tokens, resulting in major monetary losses.