Jimbos Protocol, an Arbitrum-based DeFi project, suffered a flash lending attack that resulted in the loss of over 4,000 ETH tokens, currently valued at over $7,500,000.
The company revealed the attack on Twitter yesterday, saying law enforcement has been notified and is working with security professionals to remedy the situation.
The attack happened just three days after the platform launched its V2 protocol, at a time when many people had just invested in his “jimbo” token, and the perpetrator managed to steal 4,090 ETH tokens.
THE jimbo token has a semi-stable floor price backed by assets, while the platform has mechanisms such as taxes and incentives in place to help maintain a stable value.
After the hack, however, jimbo’s price quickly crashed from $0.238 to just $0.0001 at the time of writing.
According to blockchain security experts at PeckShieldJimbos Protocol fell victim to a flash loan attack that took advantage of the platform’s lack of slippage control.
Flash loans are actions where users borrow a large amount of tokens and are supposed to repay them in the same transaction (immediately).
If the attacker exploits a loophole in the DeFi platform or manipulates the price of the token during this very short period between receiving the amount and repaying it, they can keep the difference at the lender’s expense.
We have seen this play out many times in theoretically well-secured and thoroughly audited loan protocols. A notable recent example is the flash loan attack that hit Euler Finance, resulting in a massive loss of $197 million.
In the case of the Jimbos protocol, the attacker took out a $5.9 million flash loan, manipulated the market to skew the price range, traded the tokens, and escaped with 4,090 ETH.
Slippage control is a measure that limits token price changes to ensure that their fluctuation remains within an acceptable range from the start of a trade until its completion, in this case a flash loan.
Jimbo Protocol had warned investors against “experimental” character from Jimbo V1saying that “the contracts are not audited and […] any money you invest in this protocol may be lost due to unforeseen circumstances at any time.
However, Jimbo V2 was supposedly designed to fix slippage and other obvious security issues. As such, it has been projected as a more reliable investment opportunity, at least for a brief three-day period.
The incident placed Jimbos Protocol in a difficult situation, and the platform sent a chain message to the perpetrators demanding that they return 90% of the stolen funds in exchange for a promise not to take legal action against them.