Latest $7.5M Hack Highlights Control Screw-Up On DeFi Protocol's System Design

Jimbos Protocol, a liquidity protocol operating under the Arbitrum system, lost thousands of Ethereum amounting to more than $7 million just days after it rolled out an inadequately developed mechanism via a new update that introduced a new testing approach but provided malicious actors favorable conditions to exploit its design flaw.

Jimbos is the latest decentralized finance (DeFi) protocol to fall into the hands of malicious actors who, according to blockchain security firm PeckShield, stole 4,090 ETH worth approximately $7.5 million (based on the current rate of Ether) over the weekend.

The breach, during which millions of dollars of funds were stolen, was not due to usual hacking strategies employed by malicious actors but via a flaw within the protocol itself, particularly its design system that lacks slippage control in its liquidity-shifting operations.

"This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in reverse swap for profit," Peckshield said in a tweet.

In cryptocurrency, slippage is the difference between the anticipated trade price and the price at trade execution with the discrepancy occurring during high volatility periods and prices fluctuating in seconds.

In Jimbos' situation, the issue was not the slippage but the lack of control over it, which paved the way for the protocol-owed liquidity to be moved into an imbalanced price range.

The hackers exploited this flaw in the design and manipulated the liquidity to create an imbalance in the price range in reverse swap operations where they profited.

It is worth noting that Jimbos Protocol was launched less than a month ago, specifically on May 16, but contracted a smart contract bug that prevented the protocol from working as designed.

Users were advised at the time not to interact with the bug and wait for the new update of the protocol, which was rolled out three days ago to address volatile token prices and liquidity using a new approach.

The protocol's mechanism was not adequately built, and this resulted in a vulnerability that deliberately provided a favorable environment for malicious attackers.

The hackers also utilized the Stargate bridge and the Caler Network to move 4,048 ETH from the Ethereum network, according to Peckshield.

Following the hack, JIMBO, the native token of the protocol, nosedived by 40% and was trading in the red zero at $0.1919.

Jimbos announced on its Twitter account that it was working with security researchers and on-chain analysts concerning the hack and was set to work with law enforcement if the issue would still not be resolved by the following day.

"We are already working with multiple security researchers and on-chain analysts who helped with both the Euler Finance and Sentiment exploits," Jimbos noted, adding, "We will start working with law enforcement agencies tomorrow by 4PM UTC if this isn't sorted out by then."

JIMBO saw a 491% gain and was trading in the green zone at $0.1337 over the past 24 hours with a 24-hour volume of $56,469.22 as of 10:58 p.m. ET on Sunday, based on the latest data from CoinMarketCap.