Jimbos, a liquidity protocol built on Arbitrum, lost a significant amount of funds in a May 28 exploit — less than 20 days after its launch.
Blockchain security firm PeckShield flagged the exploit on Twitter, noting that the protocol’s native token JIMBO had dropped 40%. The firm estimated the total loss of funds amounted to 4,090 ETH, worth around $7.5 million at the time.
Here comes the flow of stolen funds. @jimbosprotocol pic.twitter.com/HkUtTFZILv
— PeckShieldAlert (@PeckShieldAlert) May 28, 2023
The exploiters took advantage of the lack of slippage controls in place and were able to execute a flash loan attack. Slippage refers to the difference in the price at which a trade is requested and the price at which it ends up being executed. In this case, the exploiters were able to manipulate liquidity and create an imbalanced price range.
“We are already working with multiple security researchers and on-chain analysts who helped with both the Euler Finance and Sentiment exploits. We will start working with law enforcement agencies tomorrow by 16:00 UTC if this isn’t sorted out by then,” said the Jimbos team in a Twitter update.
The team also sent a message embedded in a blockchain transaction to the exploiter’s wallet address, offering to cease all investigations if the exploiter returns 90% of the stolen funds.
The exploit comes just three days after Version 2 of the Jimbos Protocol went live. An earlier version 1 (V1) of the protocol deployed on May 16 but encountered problems shortly after the launch. The team behind the protocol advised users to stop all interactions with the token, dubbing V1 contracts “irreparably broken.”