TL;DR#
On May 28, 2023, the Jimbos Protocol was the target of a price manipulation attack, which resulted in a loss of 4048 ETH, worth approximately $7.7 million.
Introduction to Jimbos Protocol#
Jimbo is a proof of concept designed to test the limits of on-chain liquidity and price floors.
Vulnerability Assessment#
The root cause of the vulnerability is due to the lack of slippage control in the `shift` function of the contract, which enables the addition and removal of substantial amounts of liquidity in their pool.
The addition of liquidity in the pool considered the prevailing token prices, thus the attacker is able to create a price imbalance in the ETH/JIMBO pair, allowing them to acquire a large amount of ETH as a result of this inflated price.
Steps#
Step 1:
We attempted to analyse one of the attack transactions executed by the exploiter.
Step 2:
The attacker initially took a flash loan of 10,000 ETH and swapped it for a significant amount of JIMBO tokens in their ETH/JIMBO pool.
Step 3:
This swap caused a surge in the price of the JIMBO tokens.
Step 4:
The exploiter then initiated a call to transfer approximately 100 JIMBO tokens to the JimboController contract.
Step 5:
The exploiter is able to manipulate the token balance in the liquidity pool via adding and removing liquidity operations by invoking a call to the shift function of the JimboController contract.
Step 6:
The process was repeated several times, and the excess amount of JIMBO tokens was transferred back to the ETH pool.
Step 7:
The borrowed flash loan amount was repaid, letting the attacker secure a huge amount of profit.
Step 8:
The attacker bridged the stolen funds from the Arbitrum One chain to the Ethereum mainnet and currently holds them at this address.
Aftermath#
Following the exploit, the team acknowledged the occurrence of the event and stated that they were in contact with law enforcement agencies and security professionals.
The team sent an on-chain message to the hacker to return 90% of the funds, after which all investigations would be subsequently stopped.
Solution#
One of the key points in securing DeFi protocols is the implementation of strict transaction controls and slippage control mechanisms. The lack of such a control in the shift function, which allowed substantial liquidity to be added and removed from the Jimbos pool, created a vulnerability in this case.
The introduction of a slippage tolerance limit that the user sets for each transaction can be helpful in preventing similar price manipulations in the future to mitigate such attacks. This would require the transaction to revert if the price impact of the swap exceeds the user's specified tolerance. In addition, incorporating mechanisms to monitor unusual activity, such as sudden large changes in liquidity, can help identify potential attacks before they fully unfold.
Despite all precautions, however, it is impossible to predict and prevent every potential attack. That's where Neptune Mutual comes in. The aftermath of this attack could have been significantly mitigated if the team associated with Jimbos Protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. Neptune Mutual offers coverage to users who have suffered a loss of funds or digital assets due to smart contract vulnerabilities through their parametric insurance policies.
Those who purchase these parametric cover policies do not need to provide evidence of their losses to claim payouts. Once an incident is confirmed and resolved through Neptune Mutual's incident resolution system, payouts can be claimed immediately. Currently, Neptune Mutual's marketplace is operational on two popular blockchain networks, Ethereum and Arbitrum.
In addition to this coverage, Neptune Mutual's security team would have performed an evaluation of the Jimbos Protocol platform for potential vulnerabilities. This includes checks for DNS and web-based security, frontend and backend security, as well as intrusion detection and prevention.
Reference Source PeckShield
