SharkTeam: Analysis of Jimbos Protocol Lightning Loan Attack Principle

On May 28, 2023, Beijing time, Jimbos protocol fell victim to a lightning loan attack, with the attacker profiting approximately $7.5 million. SharkTeam promptly conducted a technical analysis of this incident and summarized security measures, hoping that future projects can learn from it and strengthen the security defenses of the blockchain industry.

1. Incident analysis

Attacker address: 0x102be4bccc2696c35fd5f5bfe54c1dfba416a741

Attack contract: 0xd4002233b59f7edd726fc6f14303980841306973

Attacked contract: 0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7

Attack transactions: 0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda

Attack process:

1. The attacker (0x102be4bc) borrows 10,000 ETH through flash loan.

2. Then exchange a large amount of Jimbo in the trading pool with ETH.

3. The attacker (0x102be4bc) transferred 100 JIMBO tokens to the attacked contract (0x271944d9)

4. Call the shift function of the attacked contract (0x271944d9).

5. Loop the above operation several times:

6. Finally, convert Jimbo to ETH and return the flash loan, and leave the market with a profit

Vulnerability analysis:

This attack takes advantage of the vulnerability in the JimboController (0x271944d9) contract. The shift function in it will allow the contract to perform the operations of removing liquidity and adding liquidity. When adding liquidity, the JimboController (0x271944d9) contract will send all the weth to add fluidity.

The attacker (0x102be4bc) used a large amount of weth to exchange a large amount of Jimbo coins in the liquidity pool in the second step, making the price of Jimbo in the pool very high, and then called the shift function in the JimboController (0x271944d9) contract to add liquidity Sexual operation will send all the weth in the contract to the liquidity pool (including the original weth in the contract). At this time, the number of weth in the pool increases but the price of Jimbo is still high, and the attacker (0x102be4bc) will second himself The Jimbo coins swapped out in the first step can be exchanged for weth, and the pool’s own weth and the weth sent by the JimboController (0x271944d9) contract can be swapped out together.

Summary of the incident:

The reason for this incident is that there is a loophole in the shift function of the JimboController (0x271944d9) contract. Anyone can call this function to make the contract add liquidity to the pool, and all the weth in the contract will be sent to add liquidity, regardless of No matter how the price is manipulated, the contract can be used to receive orders.

2. Security Recommendations

In light of this attack incident, we should adhere to the following considerations during the development process:

1. Exercise greater caution regarding the risk of price manipulation when developing functions related to liquidity addition and removal.

2. Prior to project deployment, it is essential to engage a third-party professional auditing team for smart contract audits.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.Official website:


All Comments

Recommended for you

  • Valkyrie Ethereum Futures ETF Receives U.S. SEC Approval

    The US SEC has approved Valkyrie to convert its existing Bitcoin futures ETF to a Bitcoin and Ethereum futures ETF. The new fund will be renamed "Valkyrie Bitcoin and Ethereum Strategy ETF" and will take effect on October 3, with the code still being BTF.

  • AlphaSense Raises $150M in Series E Funding Round Led by BOND and Alphabet's CapitalG

    AlphaSense, a B2B AI platform focused on business intelligence and search, has completed a successful Series E funding round, raising $150 million. The round was led by BOND and included investments from Alphabet's CapitalG, Goldman Sachs, and Viking Global. AlphaSense's valuation has grown from $1.7 billion to $2.5 billion since its Series D funding round in June 2023. The platform uses machine learning to provide deep insights into business and finance analytics, offering "insights-as-a-service." The latest investment will allow AlphaSense to continue leading the generative AI revolution in the B2B sector.

  • web3 startup IYK raises $16.8 million in seed funding, led by A16z Crypto

    Web3 startup IYK has raised $16.8 million in seed funding, with A16z Crypto leading the way and other investors including 1kx, Collabcurrency, Lattice Capital, and gmoney. According to its website, IYK is a participant in the a16z Crypto Startup School, which is an accelerator program from the venture capital giant that typically invests $500,000 in participating startups in exchange for 7% equity. IYK says that it has recruited over 100 creators from industries such as fashion, music, and art since its founding in 2021. To attract more brands and creators, it is launching a self-service platform to help create digital physical experiences.

  • Oracle project Supra completed over US$24 million in financing, with participation from Animoca Brands and Coinbase Ventures.

    On September 28th, Supra, a provider of oracle and VRF services, announced that it had completed a funding round of over $24 million. Investors in this round include Animoca Brands, BCW, Coinbase Ventures, FiveT Fintech (formerly Avaloq Ventures), Galaxy Interactive, Hashed, HashKey, Huobi Ventures, No Limit Holdings, Prosus Ventures,, Republic Crypto, Shima Capital, Signum Capital, SMO Capital, Sound Ventures, Sublime Ventures, UOB Venture Management (Dahua Bank), and Valor Equity Partners.

  • Hong Kong police arrested three people again in connection with the JPEX case, bringing the total number of arrests to 15

    Hong Kong police arrested three more people related to the JPEX case, including one director and one employee of the overseas exchange Lupin, and one popular analyst from a foreign currency exchange shop. The total number of arrests is now 15. The police have received a total of 2,392 reports, involving a total amount of nearly 1.5 billion yuan, and have frozen 77 million yuan in assets. 

  • The EU will collect data proving that cryptocurrency PoW mechanisms "seriously" harm the environment and plans to develop sustainability standards

    On September 28th, the European Commission released a tender contract worth 800,000 euros (approximately $842,000) aimed at mitigating the "significant harm" that cryptocurrency poses to the environment. The research, which will end on November 10th, will establish standards that will be incorporated into potential future EU policies to curb the impact of cryptocurrency on climate change and develop new energy efficiency labels for blockchain. The European Commission stated in the tender document that "there is evidence that crypto-assets can cause significant damage to the climate and the environment," which could undermine the EU's greenhouse gas reduction targets, indicating that new sustainable development standards may be adopted in the future. EU legislators are concerned about the energy-intensive PoW consensus mechanism that supports blockchain such as Bitcoin. The EU's research will be completed within a year and will study green issues related to the use of water, waste, natural resources, and energy by cryptocurrencies. (CoinDesk)

  • Brazil’s cryptocurrency trading volume in July was US$3.7 billion, with USDT trading accounting for 81.6%

    According to data from the Federal Tax Authority, cryptocurrency transactions in Brazil reached 18.8 billion Brazilian real (approximately 3.7 billion US dollars) in July, a decrease of 11.4% compared to the previous month. The three highest transaction volumes were stablecoins, with USDT accounting for 15.3 billion Brazilian real, or 81.6% of the total transaction volume, followed by USDC (838 million Brazilian real) and Brazilian real stablecoin BRZ (641 million Brazilian real). 

  • Bitcoin price to $30K in October, says analyst as BTC price climbs 2%

    BTC price strength returns ahead of Wall Street trading, with $27,000 in Bitcoin bulls’ crosshairs.

  • The National Blockchain Industry Industry-Education Integration Community was established in Xiongan New Area

    National Blockchain Industry Production-Education Integration Community Establishment Conference was held in Xiong'an New Area on September 27. The National Blockchain Industry Production-Education Integration Community is jointly formed by Xiong'an Guochuang Center Technology Co., Ltd., Southwest University of Finance and Economics, Hebei Software Vocational and Technical College, and other units under the guidance of the Vocational and Adult Education Department of the Ministry of Education, the Education and Examination Center of the Ministry of Industry and Information Technology, and the China Association of Small and Medium Enterprises, together with relevant industry associations, enterprises, undergraduate colleges, vocational colleges, scientific research institutes and other units. The establishment of the National Blockchain Industry Production-Education Integration Community aims to gather high-quality production-education resources and establish a new type of production-education integration organization to support the development of the blockchain industry, promote industrial development and talent cultivation, effectively promote the deep integration of industry and education, improve the quality of talent cultivation, better meet the development needs of the blockchain industry, and effectively promote economic and social development.

  • Slope, a Fintech Startup Backed by the Founder of Worldcoin, Completed $30 Million in Financing

    Slope, a financial technology startup supported by Worldcoin founder Sam Altman, announced the completion of a $30 million financing round, with participation from Y Combinator, monashees, and a group of angel investors in the financial technology field. It is reported that Sam Altman and Union Square Ventures jointly led Slope's previous $24 million Series A financing round. So far, the company's total financing amount has reached $187 million.