The project that Brother Maji bought with a lot of money was hacked? Analyzing Jimbos protocol attack events

On May 28, 2023, according to the Beosin-Eagle Eye situational awareness platform, the JimboController contract of the Jimbos protocol was hacked, and the hacker made a profit of about 7.5 million US dollars.

According to the official website, Jimbos Protocol is an experimental protocol deployed on Arbitrum "responsive centralized liquidity". The main token $JIMBO launched by Jimbos Protocol aims to periodically rebalance the liquidity of its protocol under different circumstances to improve the efficiency of capital utilization.

Huang Licheng, the brother of Maji that we are familiar with, spent millions of dollars to buy the tokens of this project a few days ago. After the attack, the related tokens also plummeted. I don’t know how brother Maji feels now.

The Beosin security team analyzed the incident as soon as possible, and now share the analysis results as follows.

Event related information

attack transaction

0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda (one of them)

attacker address

0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

attack contract

0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract

0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack process

There are multiple transactions in this attack, and we use one of them for analysis.

1. The attacker first lends 10,000 WETH in a flash loan.

2. The attacker then uses a large amount of WETH to exchange JIMBO tokens to drive up the price of JIMBO.

3. Then the attacker transferred 100 JIMBO tokens to the JimboController contract in preparation for the subsequent addition of liquidity (because the price of JIMBO has risen, only a small amount of JIMBO tokens are needed to add liquidity).

4. Then the attacker calls the shift function, which will remove the original liquidity and add new liquidity. Calling the shift function will take the funds of the contract to add liquidity, so that all the WETH of the JimboController contract will be added to the liquidity.

5. At this time, due to the addition of liquidity in an unbalanced state (when adding liquidity, it will rely on the current price as a basis to calculate the number of tokens required, which is equivalent to using a contract to receive orders), so that the attacker can get more WETH, the attacker finally converted JIMBO into WETH to complete the profit.

Vulnerability analysis

This attack mainly takes advantage of the vulnerability in the JimboController contract, which allows anyone to use the shift function to make the contract perform operations of removing and adding liquidity, so that it can receive orders at a high level.

Funds Tracking

As of the time of writing, the stolen funds have not been transferred out by the attacker, and 4048 ETH are still in the attack address:

(

Summarize

In response to this incident, the Beosin security team suggested that: during contract development, investment in the contract should be avoided by external manipulation; before the project goes live, it is recommended to choose a professional security audit company to conduct a comprehensive security audit to avoid security risks.