Jimbo's Protocol - Monday, May 28, 2023

Table Of Content



Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack. On May 28, 2023, a sophisticated attacker managed to exploit a loophole in the protocol's slippage control mechanism, walking away with approximately $7.5 million in ETH.

Hack Impact

The attack had immediate and severe consequences for Jimbo's Protocol and its community. The attacker successfully drained a large portion of the treasury's ETH, affecting the protocol's stability and trustworthiness. The incident led to a sharp 40% decline in the value of $JIMBO, eroding the token's market position and investor confidence.

What is Liquidity Rebalancing?

In decentralized finance (DeFi), liquidity rebalancing is the process of reallocating assets within a liquidity pool to ensure efficient capital utilization and smooth price discovery. In simple terms, it means making sure there's enough "money" in the right places in a trading pool to make trades easy and fair.

What is Slippage?

Slippage occurs when the price of an asset changes between the time you place an order and the time the order is fulfilled. In DeFi, it's particularly important to control slippage to prevent significant price fluctuations that could result from large trades.

How Does Rebalancing Work in $JIMBO?

In $JIMBO's case, rebalancing happens via three primary functions: Shift(), Reset(), and Recycle(). These are triggered based on the state of different bins—Floor Bin, Active Bin, and Trigger Bin.

  • Floor Bin: The bin with the lowest price per token (in ETH). It guarantees a minimum price for the token.
  • Active Bin: The bin where $JIMBO is currently being traded.
  • Trigger Bin: The bin that triggers a rebalance when emptied.

Understanding the Shift() Function in $JIMBO Protocol

The Shift() function plays a crucial role in the $JIMBO protocol, automatically activating when the Active Bin (the pool bin where the current trading price resides) moves past the Trigger Bin. The function performs two primary actions:

  • Redistributes ETH Liquidity: 10% of the total Ethereum (ETH) liquidity in the pool is allocated to Anchor Bins, which are designed to stabilize the current market price.
  • Allocates to Floor Bin: The remaining 90% of the total ETH liquidity is moved to the Floor Bin, which is the bin with the lowest price guaranteed by the protocol.

Simultaneously, the Shift() function also invokes a Reset() function call to redistribute the remaining $JIMBO tokens within the pool.

For more comprehensive insights into how these bins operate within the protocol, please refer to this Link

A Detailed Look at the Attack Mechanics

Step 1: Obtain Initial Funds

  • The attacker starts by initiating a flash loan to borrow, 10,000 ETH from AAVE.

Step 2: Inflate $JIMBO Price

  • The attacker uses this 10,000 ETH to purchase $JIMBO tokens, causing the Active Bin to shift significantly This shifts the Active Bin well past the Trigger Bin, which initiates a rebalance via the Shift() function.

Step 3: Transfer Tokens to Contract

  • The attacker then transfers 100 $JIMBO tokens to the JimboController contract.  Due to the artificially inflated price, these tokens are highly valuable in terms of ETH.

Step 4: Invoke Shift()

  • Now, the attacker calls the Shift() function. Because the Active Bin is now at an inflated price, this rebalancing action redeploys liquidity based on this skewed data. As a result, a significant amount of ETH (which is 90% of the total pool) is moved to the new Floor Bin at this inflated price level.

Step 5: Crash the Market Price

  • Next, the attacker sells a significant amount of $JIMBO tokens, causing the price to plummet drastically

Step 6: Trigger Another Rebalance

  • After crashing the market price, the attacker triggers another Shift() function. This redistributes a significant amount of ETH to a Floor Bin but at a much lower price level than before.

Step 7: Exploit and Profit

  • Lastly, the attacker buys $JIMBO tokens at this depressed price, which are worth significantly more in terms of ETH. They convert these tokens back into ETH, making a considerable profit.

The attacker then returns the initial ETH borrowed through the flash loan, retaining a substantial net gain of 7.5 million.

Vulnerability Analysis

The critical flaw was the absence of slippage controls in the Shift() function, enabling the attacker to trigger rebalancing actions at artificial price levels. Once liquidity was redeployed at these inflated prices, the attacker could then manipulate the market to purchase tokens at a much lower cost, making a substantial profit in the process.

Transaction involved

Attacker's Addresses:

Attacker’s Address(ETH)

Notable Transactions:

Attacker Contract:

JimboController Contract
Attack Transaction

JIMBO's response to the hack


The protocol also sent an On chain message to the hacker

How to Prevent Such Exploits

A system with a more sophisticated rebalancing mechanism that includes proper slippage control, could have likely prevented this exploit. By undergoing a comprehensive security audit, potentially from firms like BlockApex, protocols can identify and address these vulnerabilities before they're exploited.


The Jimbo Protocol incident serves as a cautionary tale that even innovative DeFi protocols are vulnerable to sophisticated attacks. This event highlights the importance of comprehensive security audits, a service that BlockApex specializes in, to identify and mitigate vulnerabilities in DeFi protocols. As the DeFi sector continues to evolve, so should its security measures to protect investor interests and maintain system integrity.

More Audits

The Big Fuzz Theory: Fuzzing Primer

Fuzz testing, or fuzzing, is a technique used to improve the security of software, including smart contracts in Solidity. It involves supplying random or unexpected data as inputs to a system in an attempt to break it and uncover vulnerabilities that manual testing might miss. Fuzzers generate a set of inputs for testing scenarios that may have been missed during unit testing, helping to identify bugs and potential security issues.

Dforce Network - February 13, 2023

The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

Platypus Finance - February 16, 2023

On February 17, 2023, Platypus Finance was hacked, resulting in a loss of approximately $8.5 million worth of assets. In this hack analysis, we will delve into the details of the attack, the vulnerability that was exploited, and the impact it had on the platform and its users.

Tornado Cash: A Force For Good Or Evil?

The dual nature of Tornado Cash brings forth layers of doubt surrounding its morality. Who benefits more from using Tornado Cash? The average man concerned about his privacy, or a criminal with millions of dollars worth of stolen funds?

Off-Chain Security: A Rising Reason For Recent Hacks?

An off-chain transaction deals with values outside the blockchain and can be completed using a lot of methods. To carry out any kind of transaction, both functioning entities should first be in agreement, after that a third-party comes into the picture to validate it.

Smart Contract Audit Report: Chrysus

Project Chrysus aims to be a fully decentralized ecosystem revolving around Chrysus Coin. Chrysus Coin (Chrysus) is an ERC20 token deployed on the Ethereum network, which is pegged to the price of gold (XAU/USD) using Decentralized Finance (DeFi) best practices. The ecosystem around Chrysus will involve a SWAP solution, a lending solution, and an eCommerce integration solution allowing for the use of Chrysus outside of the DeFi ecosystem.

Stablecoins: Riskless Investment or Financial Fraud?

On the surface, stablecoins sound like a dream come true for crypto investors. However, digging a little deeper raises several questions about their backing. At the end of the day, can the companies selling them even be trusted?

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing comprises of information about compilation breakdown of solidity code, the vulnerable components of blockchain ecosystem and how Smart contract auditing is crucial.

The DAO Dichotomy: Public Interest Or Personal Gain?

DAOs can be seen as the next step in achieving this vision, eliminating the use of intermediaries in corporate governance. Functioning via an interconnected network of smart contracts, these Decentralized Autonomous Organizations are essentially communities that are fully managed and owned by their members.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023