The Arbitrum-based project Jimbos Protocol was attacked, with unknown actors withdrawing 4,090 ETH (more than $7.5 million at the time of writing). PeckShield analysts reported.
The project team confirmed the exploit. The developers said they are actively contacting law enforcement and security experts.
They also published in the Ethereum blockchain a message in which they offered the hackers to return the stolen assets for a 10% reward and drop the pursuit. As of writing, no funds had been sent to the address specified by the team.
PeckShield noted that the exploit was linked to a “slippage control deficiency” in relation to tokens under the protocol’s management. According to the analysts, the stolen funds were routed through the Stargate infrastructure and Celer Network.
Here comes the flow of stolen funds. @jimbosprotocol pic.twitter.com/HkUtTFZILv
— PeckShieldAlert (@PeckShieldAlert) May 28, 2023
Numen Cyber said that for the attack the attackers initiated flash loan of 10,000 ETH. These assets were used to manipulate the price of the JIMBO token, followed by draining liquidity pools.
? The attacker initiated a flash loan of 10,000 $ETH as initial capital
? Then the $ETH was swapped for a significant amount of $Jimbo in the [ETH-Jimbo] causing a surge in the price of $Jimbo pic.twitter.com/7BauCRLqA0
— Numen Cyber (@numencyber) May 28, 2023
Jimbos Protocol originally launched on May 16. Shortly after launch, the team abandoned the first version of the protocol due to a critical bug in the smart contracts and unveiled a second iteration of the app.
According to DEX Screener, amid news of the hack, the JIMBO token price fell by 25%. As of writing, the asset trades near $0.18.
Earlier in May 2023, unknown withdrew assets worth $6 million from the Deus Finance DeFi protocol.