- Hackers exploit Jimbo protocol’s vulnerabilities, causing a loss of $7.5 million.
- Activity on Trader Joe severely impacted, however, there was no impact on the price of JOE.
On 28 May, crypto security firm PeckShield announced that they suspected suspicious activity on the Jimbo protocol. Jimbo is a DeFi liquidity protocol that has its own native token, JIMBO, which was launched through TraderJoe [JOE].
Hi @jimbosprotocol , you may want to take a look: https://t.co/ayOYcMnHXJ
— PeckShield Inc. (@peckshield) May 28, 2023
Is your portfolio green? Check out the Joe Profit Calculator
Poor slippage control and its impacts
After further investigation, PeckShield reported that the hack led to the loss of 4090 Ether [ETH], worth around $7.5M. The security breach resulted from inadequate slippage control in the liquidity-shifting operation, leading to the allocation of the protocol’s owned liquidity into a price range that exhibited skewness or imbalance.
It appears today’s @jimbosprotocol hack leads to the 4090 ETH loss (w/ ~$7.5M).
This hack is due to the lack of slippage control of liquidity-shifting operation — such that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in… https://t.co/wnQAeksojz pic.twitter.com/TPlqNlvnZD
— PeckShield Inc. (@peckshield) May 28, 2023
For context, slippage control refers to a mechanism or feature that helps manage price slippage during trading or liquidity operations. Price slippage occurs when there is a discrepancy between the expected price of an asset and the actual executed price. In the context of liquidity-shifting operations, slippage control aims to minimize the impact of large trades or shifts in liquidity on the asset’s price.
This vulnerability was then exploited through a reverse swap mechanism, which enabled the attackers to generate profits from the manipulated price movements.
A reverse swap mechanism, also known as a “flash loan attack,” is a type of exploit where an attacker borrows a large sum of assets (typically through a flash loan) and manipulates the market to their advantage. The attacker executes a series of trades or transactions that intentionally impact the price or liquidity of certain assets, creating an opportunity for profit.
Once the manipulation is successful and the desired outcome is achieved, the attacker repays the borrowed assets, typically within the same transaction, leaving them with the profit and no net exposure to risk.
Source: PeckShield
Holders left to deal with JOE
Due to the events that unfolded, the price of JIMBO fell by 40%, impacting token holders negatively.
#PeckShieldAlert $JIMBO has dropped -40%https://t.co/fXZPG27zdM pic.twitter.com/zMPs75jUtK
— PeckShieldAlert (@PeckShieldAlert) May 28, 2023
Realistic or not, here’s ARB’s market cap in BTC’s terms
TraderJoe, a DEX protocol launched on Arbitrum [ARB] and Avalanche [AVAX] was used to create JIMBO. At press time, the daily activity on TraderJoe and the revenue generated by the protocol declined significantly over the last 24 hours.
Source: Token Terminal
Over the last few months, the price of the ARB and JOE tokens has declined materially since last month. However, there has been little impact on either of the token’s prices over the last 24 hours.
Source: Santiment
Source: https://ambcrypto.com/trader-joe-jimbo-protocol-attacked-are-your-holdings-safe/