Jimbo's Protocol - Monday, May 28, 2023


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack. On May 28, 2023, a sophisticated attacker managed to exploit a loophole in the protocol's slippage control mechanism, walking away with approximately $7.5 million in ETH.

    Hack Impact

    The attack had immediate and severe consequences for Jimbo's Protocol and its community. The attacker successfully drained a large portion of the treasury's ETH, affecting the protocol's stability and trustworthiness. The incident led to a sharp 40% decline in the value of $JIMBO, eroding the token's market position and investor confidence.

    What is Liquidity Rebalancing?

    In decentralized finance (DeFi), liquidity rebalancing is the process of reallocating assets within a liquidity pool to ensure efficient capital utilization and smooth price discovery. In simple terms, it means making sure there's enough "money" in the right places in a trading pool to make trades easy and fair.

    What is Slippage?

    Slippage occurs when the price of an asset changes between the time you place an order and the time the order is fulfilled. In DeFi, it's particularly important to control slippage to prevent significant price fluctuations that could result from large trades.

    How Does Rebalancing Work in $JIMBO?

    In $JIMBO's case, rebalancing happens via three primary functions: Shift(), Reset(), and Recycle(). These are triggered based on the state of different bins—Floor Bin, Active Bin, and Trigger Bin.

    • Floor Bin: The bin with the lowest price per token (in ETH). It guarantees a minimum price for the token.
    • Active Bin: The bin where $JIMBO is currently being traded.
    • Trigger Bin: The bin that triggers a rebalance when emptied.

    Understanding the Shift() Function in $JIMBO Protocol

    The Shift() function plays a crucial role in the $JIMBO protocol, automatically activating when the Active Bin (the pool bin where the current trading price resides) moves past the Trigger Bin. The function performs two primary actions:

    • Redistributes ETH Liquidity: 10% of the total Ethereum (ETH) liquidity in the pool is allocated to Anchor Bins, which are designed to stabilize the current market price.
    • Allocates to Floor Bin: The remaining 90% of the total ETH liquidity is moved to the Floor Bin, which is the bin with the lowest price guaranteed by the protocol.

    Simultaneously, the Shift() function also invokes a Reset() function call to redistribute the remaining $JIMBO tokens within the pool.

    For more comprehensive insights into how these bins operate within the protocol, please refer to this Link

    A Detailed Look at the Attack Mechanics

    Step 1: Obtain Initial Funds

    • The attacker starts by initiating a flash loan to borrow, 10,000 ETH from AAVE.

    Step 2: Inflate $JIMBO Price

    • The attacker uses this 10,000 ETH to purchase $JIMBO tokens, causing the Active Bin to shift significantly This shifts the Active Bin well past the Trigger Bin, which initiates a rebalance via the Shift() function.

    Step 3: Transfer Tokens to Contract

    • The attacker then transfers 100 $JIMBO tokens to the JimboController contract.  Due to the artificially inflated price, these tokens are highly valuable in terms of ETH.

    Step 4: Invoke Shift()

    • Now, the attacker calls the Shift() function. Because the Active Bin is now at an inflated price, this rebalancing action redeploys liquidity based on this skewed data. As a result, a significant amount of ETH (which is 90% of the total pool) is moved to the new Floor Bin at this inflated price level.

    Step 5: Crash the Market Price

    • Next, the attacker sells a significant amount of $JIMBO tokens, causing the price to plummet drastically

    Step 6: Trigger Another Rebalance

    • After crashing the market price, the attacker triggers another Shift() function. This redistributes a significant amount of ETH to a Floor Bin but at a much lower price level than before.

    Step 7: Exploit and Profit

    • Lastly, the attacker buys $JIMBO tokens at this depressed price, which are worth significantly more in terms of ETH. They convert these tokens back into ETH, making a considerable profit.

    The attacker then returns the initial ETH borrowed through the flash loan, retaining a substantial net gain of 7.5 million.

    Vulnerability Analysis

    The critical flaw was the absence of slippage controls in the Shift() function, enabling the attacker to trigger rebalancing actions at artificial price levels. Once liquidity was redeployed at these inflated prices, the attacker could then manipulate the market to purchase tokens at a much lower cost, making a substantial profit in the process.

    Transaction involved

    Attacker's Addresses:

    Attacker’s Address(ETH)

    Notable Transactions:

    Attacker Contract:

    JimboController Contract
    Attack Transaction

    JIMBO's response to the hack


    The protocol also sent an On chain message to the hacker

    How to Prevent Such Exploits

    A system with a more sophisticated rebalancing mechanism that includes proper slippage control, could have likely prevented this exploit. By undergoing a comprehensive security audit, potentially from firms like BlockApex, protocols can identify and address these vulnerabilities before they're exploited.


    The Jimbo Protocol incident serves as a cautionary tale that even innovative DeFi protocols are vulnerable to sophisticated attacks. This event highlights the importance of comprehensive security audits, a service that BlockApex specializes in, to identify and mitigate vulnerabilities in DeFi protocols. As the DeFi sector continues to evolve, so should its security measures to protect investor interests and maintain system integrity.

    More Hack Analysis

    Dforce Network - February 13, 2023

    The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

    Merlin DEX - April 26, 2023

    In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.

    DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

    On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

    Yearn Finance - April 13, 2023

    The Yearn Finance hack that occurred on April 13, 2023, resulted in the loss of approximately $11.4 million. The exploit was carried out through a misconfiguration in the yUSDT vault, revealing a flaw in the system's architecture.

    Dexible - February 20, 2023

    The Dexible hack affected a total of 17 user accounts, with the majority of losses coming from a single address belonging to BlockTower Capital, a prominent investment firm.

    SushiSwap - April 9, 2023

    On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.

    Kokomo Finance - Hack Analysis (March 27, 2023)

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

    SAFEMOON - March 29, 2023

    Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.

    Cream Finance Hack: What Motivates Hackers to Return Stolen Funds?

    From an outsider’s perspective, returning millions of dollars worth of funds after successfully pulling off a complicated exploit is, at best, admirable, and at worst, foolish. What could be the motivation behind such a decision?

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023