In May 2023, an attacker exploited a logical vulnerability in the Jimbos Protocol. This allowed the attacker to drain an estimated 4090 ETH ($7.5 million) from the protocol.
Inside the Attack
The Jimbos protocol hack was made possible by a lack of slippage control in the Arbitrum-based project’s smart contract. As a result of the missing slippage controls, liquidity invested in the protocol uses price ranges that do not require equality.
The attack began with a swap designed to unbalance the values of a trading pair. Then, they used the shift function to force investment into the unbalanced pair. A final reverse swap allowed them to extract profit from the protocol by exploiting the imbalance that they created.
The lack of adequate slippage controls allowed the attacker to steal $7.5 million from the 20-day-old protocol, causing its token value to drop by 40%. After stealing the tokens, the attacker used the Stargate bridge and Celer Network to move their stolen funds to the Ethereum network.
Lessons Learned From the Attack
The Jimbos Protocol hack underscores the potential risk of logical flaws in DeFi protocols. As a liquidity protocol, the Jimbos Protocol should have incorporated slippage protection that would have prevented the attacker from unbalancing a trading pair to the point where they could extract such massive platforms.
Reviews of a smart contract’s logic — as well as its code — are an essential part of a smart contract audit. To learn more about securing your smart contracts, get in touch with Halborn.