by
Gracious Igwe

The $7.5 Million Flash Loan Unveiled: Jimbo’s Protocol

A concise analysis of the incident.

A significant flash loan attack has recently targeted Jimbo’s Protocol, resulting in a staggering loss of $7.5 million. In this article, we provide a concise analysis of the incident, shedding light on the key details and implications. Let’s dive in.

Following the relaunch of Jimbo’s Protocol with its v2 version to address issues encountered in the initial v1 release, concerns arose regarding the growing complexity of the protocol. Within three days, an attack took place, exposing a lack of slippage control in the `shift()` function of the JimboController contract. The attacker leveraged a flash loan to artificially inflate the price of JIMBO tokens, subsequently draining liquidity and causing a crash in the token’s value. The stolen funds, totaling 4,000 ETH ($7.5 million), were eventually transferred back to Ethereum.

Jimbo’s Protocol Code Analysis — AuditOne

As you can see in the provided code, there is an absence of price impact analysis prior to executing the rebalancing process. The function fails to account for the potential influence of liquidity changes on the price of JIMBO, thereby enabling the attacker to manipulate the token’s price and deplete all WETH liquidity from the contract.

In response, Jimbo’s Protocol has offered a 10% bounty as an incentive for the attacker to return the funds, although their response remains uncertain. Additionally, they have taken steps to involve the New York branch of the Department of Homeland Security, seeking to apprehend the attacker. More details can be found in this article:

https://www.coindesk.com/tech/2023/05/31/jimbos-protocol-to-work-with-us-homeland-security-to-help-recover-75m-from-flash-loan-exploit/

Now, you might be wondering how we can prevent such attacks in the future. Here are several strategies to consider:

Code Audits: This is crucial before launching a protocol. Security experts meticulously examine the codebase to identify vulnerabilities that attackers could exploit. Addressing these issues prior to deployment reduces the risk of successful attacks.

Slippage Control: The attack on Jimbo’s Protocol occurred due to a lack of slippage control in the shift() function of the JimboController contract. Slippage control entails implementing mechanisms that limit the impact of large transactions on token prices, thereby deterring attackers from manipulating prices and disrupting the protocol.

Testing and Simulation: Thoroughly testing and simulating protocols under various scenarios is crucial to uncover potential vulnerabilities or unexpected behavior. This rigorous process helps ensure that the protocol operates as intended and does not possess any exploitable weaknesses.

By adopting these preventive measures, we can enhance the security of crypto protocols and mitigate the risk of flash loan attacks or similar exploits.

About AuditOne

AuditOne is an Auditor pooling platform for smart contract audits, offering Peer-reviewed smart contract audits and other services in Web3.

We will match you with a pool of auditors tailored to your needs. With vetted 200+ auditors on our platform we have experts for any request while AuditOne handles all operations and oversees the process.

Request a smart contract audit: https://www.auditone.io/

Became an auditor: https://app.auditone.io/

Follow us on Twitter: https://twitter.com/auditone_team

Latest