1. This crypto-coin is called Jimbo. 2. $8m was stolen from its devs in flash loan attack
3. It's asked for 90% of the digital dosh back, or else it'll beg the cops for help
Just days after releasing the second – and supposedly more stable and secure – version of its decentralized finance (DeFi) app, Jimbos Protocol over the weekend was hit by attackers who stole stole 4,090 ETH tokens from the project worth about $7.5 million.
The developers behind the Arbitrum-based app were the apparent victims of a flash loan attack and now are scrambling to track down the light-fingered coders and retrieve the lost funds.
The biz acknowledged the May 28 attack and initially offered to let the attackers keep 10 percent of the loot if they returned the other 90 percent. However, after receiving no response, they are now turning to law enforcement to find the culprits and claw back the money.
"Over the past 24 hours, we've been working with security experts, bridges and exchanges," the Jimbos Protocol developers wrote on Twitter. "Thanks to their help, we've identified promising leads, and one in particular. We hope the attacker will *voluntarily* cooperate – before they have no choice but to once we pass their info."
The attack occurred three days after Jimbos Protocol launched the second version (V2) of its software. According to the developers behind it, the protocol – which launched about a month ago – is designed to address issues around volatility and liquidity, with a semi-stable floor price.
Vulnerable to a flash loan scam
However, blockchain analytics firm PeckShield said in a tweet that the hack of Jimbos Protocol "is due to the lack of slippage control of liquidity-shifting operation." The protocol-owned liquidity pool "is invested into a skewed/imbalanced price range, which is exploited in a reverse swap for profit."
The attacker was able to exploit the protocol through a flash loan, in which a user borrows a large amount of digital money – such as Ethereum – with the promise of paying them back almost immediately. The trick here is to take out a loan, use it to buy a large amount of other tokens, cause that token price to inflate, sell the tokens at high price, and pocket the difference.
In this case, the attackers borrowed 10,000 ETH in a flash loan, exchanged it for a large number of Jimbo coins, thus driving up the price, and then through some smart-contract shenanigans manipulated the operations of the app's liquidity pool, allowing them to convert the mountain of Jimbo tokens back into ETH, pay back the loan, and pocket a fat profit.
In the DeFi world, slippage is the difference between the actual and expected prices, and controls can be put in place to mitigate too much price volatility during the life of the transaction. That would be handy to help prevent flash loans from spiking prices, leading to vulnerable situations. It appears this wasn't properly done in the V2 software.
- Feds freeze $30m in cryptocurrency stolen from Axie Infinity
- DeFi venture OptiFi permanently locks up $661,000 of assets in code snafu
- Crypto sleuths pin $100 million Harmony theft on Lazarus Group
- Cryptocurrency 'rug pulls' cheated investors out of $8bn in 2021 – report
Analysts with Numen Cyber Labs wrote that after getting the flash loan, "the attacker exchanged the borrowed ETH for a substantial amount of Jimbo funds through the [ETH-Jimbo] trading pair, causing a surge in the current price of Jimbo. The attacker then transferred 100 JIMBO tokens to the JimboController contract."
The miscreants then exploited a vulnerability in the JimboController contract to manipulate the liquidity pool. After that, they converted the Jimbo tokens back into ETH and repaid the flash loan, keeping the profits.
Calling for backup
After first acknowledging the attack, the Jimbos Protocol developers said they were working with analysts who had helped victims of similar attacks – including Euler Finance and Sentiment, both DeFi platforms – regain some of the money lost.
On May 29, the biz addressed the attackers, telling them to "keep a fast $800k payday, and live to tell the tale. We won't pursue you if you send back the 90%. But if you don't, we won't stop until you're behind bars."
The Cyber Numan Labs analysts noted that "despite continuous efforts to strengthen security measures, the DeFi ecosystem continues to struggle to protect itself against potential vulnerabilities and unauthorized access."
Given this, DeFi projects need to work closely with security auditors to harden their platforms in hopes of deterring miscreants and reducing the chances of losing money in an attack. The losses can be substantial.
Vulnerable DeFi platforms
Euler Finance was hit by a flash loan attack in March, losing almost $200 million, though the culprit returned most of it. Sentiment lost about $1 million in an attack in April, with the attacker again returning the bulk of it within days.
Jimbos Protocol obviously was hoping for a similar outcome, though that has yet to happen.
The growing number of attacks on DeFi entities isn't surprising to Karl Steinkamp, director of delivery transformation and automation at cybersecurity consultancy Coalfire.
Steinkamp noted that there are more than 25,000 crypto assets listed on CoinMarketCap, with most based on Ethereum.
"We've seen this trend of targeting DeFi entities explode as the market for tokens has expanded," he told The Register. "Many of these digital assets are moving fast, which works well for innovation. However, at the same time, they are not taking the necessary due diligence and due care efforts to properly and continually make sure their platform and assets are protected from malicious attackers."
Talking about Jimbos Protocol and the exploitation of the code flaw for handing liquidity, Steinkamp said "this basic function should never have been able to be executed if the owners of the asset had run basic security and hardening efforts prior to releasing it into the production environment." ®