On May 28, 2023, Beijing time, Jimbos protocol fell victim to a lightning loan attack, with the attacker profiting approximately $7.5 million. SharkTeam promptly conducted a technical analysis of this incident and summarized security measures, hoping that future projects can learn from it and strengthen the security defenses of the blockchain industry.

1. Incident analysis

Attacker address: 0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract: 0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract: 0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack transactions: 0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda

Attack process:

1. The attacker (0x102be4bc) borrows 10,000 ETH through flash loan.

2. Then exchange a large amount of Jimbo in the trading pool with ETH.

3. The attacker (0x102be4bc) transferred 100 JIMBO tokens to the attacked contract (0x271944d9)

4. Call the shift function of the attacked contract (0x271944d9).

5. Loop the above operation several times:

6. Finally, convert Jimbo to ETH and return the flash loan, and leave the market with a profit

Vulnerability analysis:

This attack takes advantage of the vulnerability in the JimboController (0x271944d9) contract. The shift function in it will allow the contract to perform the operations of removing liquidity and adding liquidity. When adding liquidity, the JimboController (0x271944d9) contract will send all the weth to add fluidity.

The attacker (0x102be4bc) used a large amount of weth to exchange a large amount of Jimbo coins in the liquidity pool in the second step, making the price of Jimbo in the pool very high, and then called the shift function in the JimboController (0x271944d9) contract to add liquidity Sexual operation will send all the weth in the contract to the liquidity pool (including the original weth in the contract). At this time, the number of weth in the pool increases but the price of Jimbo is still high, and the attacker (0x102be4bc) will second himself The Jimbo coins swapped out in the first step can be exchanged for weth, and the pool’s own weth and the weth sent by the JimboController (0x271944d9) contract can be swapped out together.

Summary of the incident:

The reason for this incident is that there is a loophole in the shift function of the JimboController (0x271944d9) contract. Anyone can call this function to make the contract add liquidity to the pool, and all the weth in the contract will be sent to add liquidity, regardless of No matter how the price is manipulated, the contract can be used to receive orders.

2. Security Recommendations

In light of this attack incident, we should adhere to the following considerations during the development process:

1. Exercise greater caution regarding the risk of price manipulation when developing functions related to liquidity addition and removal.

2. Prior to project deployment, it is essential to engage a third-party professional auditing team for smart contract audits.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.Official website: https://www.sharkteam.org/Twitter: https://twitter.com/sharkteamorgDiscord: https://discord.gg/jGH9xXCjDZTelegram: https://t.me/sharkteamorg