event background
Zero Hour Technology's blockchain security intelligence platform monitored the news that on May 28, 2023 Beijing time, the Jimbos Protocol project on the Arbitrum chain was hacked, and the attacker made a profit of about 7.76 million US dollars.
The attacker address is:
0x102be4bccc2696c35fd5f5bfe54c1dfba416a741
The stolen funds are transferred to the address after being transferred to the ETH chain through cross-chain:
0x5F3591e2921D5c9291F5b224E909aB978A22Ba7E
The security team of Zero Hour Technology will analyze this security incident in a timely manner.
attack steps
1. The attacker lends 10,000 WETH through flash loan
2. The attacker exchanged WETH to obtain a large amount of JIMBO tokens in the transaction pool
3. The attacker transfers 100 JIMBO tokens to the JimboController contract
4. The attacker calls the shift function to update the transaction pool, and transfers the WETH and JIMBO tokens in the contract to the transaction pool. At this time, the price of JIMBO tokens is maliciously raised
5. The attacker uses the updated price to exchange
6. The attacker repeats the above steps, almost emptying the pool and leaving the market with a profit.
In this attack, the attacker made a total profit of about 4,048 ETH, which is about $7,763,360
core vulnerability
The shift() function in the JimboController contract can update the liquidity of the trading pool, but there is no restriction on the identity of the caller in this function. Anyone can call this function to perform the operation of updating the trading pool. When adding liquidity again, all balances in the contract will be transferred To the trading pool, and the token price is not judged when adding liquidity again, so the attacker can maliciously increase the token price and then call the function to make the JimboController contract take over, thereby making a profit.
Source and flow of funds
- Sources of funds
The initial handling fee of the attack address is transferred through cross-chain
- Capital flows
The attacker transferred the profitable funds to the corresponding address of the ETH chain through the cross-chain contract, and then transferred the funds to the address 0x5F3591e2921D5c9291F5b224E909aB978A22Ba7E. The funds are still at this address.
Summary and Recommendations
This attack is due to the slippage of the token price, and the contract does not have user authority in the function of updating the transaction pool and does not judge the price slippage, so that the attacker can maliciously manipulate the token price and transfer the ETH in the contract to Make profits through token exchange after entering the trading pool.
safety advice
- It is recommended to set user permissions for the update transaction pool function in the contract
- It is recommended to increase the conditions for judging the token price when updating the trading pool to avoid malicious manipulation of the token price when the slippage is too large
- It is recommended that the project party conduct multiple audits before going online to avoid missing audit steps