Event Background
On May 28, 2023, the Jimbos Protocol project on the ARBITRUM chain was attacked by hackers. The attacker profited approximately 7.76 million US dollars. The attacker’s address is 0x102be4bccc2696c35fd5f5bfe54c1dfba416a741, and the stolen funds were transferred to the ETH chain and then moved to the address 0x5F3591e2921D5c9291F5b224E909aB978A22Ba7E.
Attack Steps
- The attacker borrowed 10,000 WETH through a flash loan.
2.The attacker obtained a large number of JIMBO tokens by exchanging WETH in the trading pool.
3. The attacker transferred 100 JIMBO tokens to the JimboController contract.
4. The attacker called the “shift” function to update the trading pool, transferring both WETH and JIMBO tokens from the contract to the trading pool. At this stage, the price of JIMBO tokens was maliciously manipulated to increase significantly.
5. The attacker proceeded to exchange tokens using the manipulated prices after the update.
6.The attacker repeated the aforementioned steps and nearly emptied the pool before exiting with their profits.
In this attack, the attacker obtained a total profit of approximately 4,048 ETH, which is equivalent to approximately 7,763,360 US dollars.
Vulnerability Analysis:
The core vulnerability lies in the “shift()” function of the JimboController contract. This function allows for the updating of liquidity in the trading pool. However, it lacks restrictions on the caller’s identity. This means that anyone can call this function to perform operations on updating the trading pool. During the process of re-adding liquidity, all balances in the contract are transferred to the trading pool. Additionally, there is no check on token prices when re-adding liquidity. Exploiting this vulnerability, the attacker maliciously manipulated the token price and called the function to transfer control of the JimboController contract, thereby generating profits.
Funds Origin and Flow:
the attacker’s initial transaction fees were transferred into the address through a cross-chain transfer.
The attacker transferred the profits obtained from the attack to the corresponding address on the ETH chain through a cross-chain contract. Afterward, they transferred the funds to the address 0x5F3591e2921D5c9291F5b224E909aB978A22Ba7E. Currently, the funds remain in this address without any further movement.
Summary and Recommendations:
This attack occurred due to the presence of price slippage in the token and the lack of user permissions and price slippage checks in the update trading pool function of the contract. This allowed the attacker to maliciously manipulate the token price and profit by transferring ETH from the contract to the trading pool through token exchanges.
Security Recommendations:
- It is recommended to implement user permissions for the update trading pool function in the contract.
- Consider adding conditions to the update trading pool function to check for token price slippage, preventing malicious manipulation.
- It is advisable for project teams to conduct multiple audits before deployment to avoid missing any crucial audit steps.
