Jimbos Protocol hacked for over $7.5 million using flash loan exploit

Shortly after it fell victim to a hack, Arbitrum-based Jimbos Protocol has decided to seek the help of security researchers and on-chain analysts who collaborated on investigating similar attacks which targeted protocols such as Euler Finance and Sentiment.

“We are already working with multiple security researchers and on-chain analysts who helped with both the Euler Finance and Sentiment exploits,” Jimbos Protocol said in a tweet on May 28. “We will start working with law enforcement agencies tomorrow by 4PM UTC if this isn’t sorted out by then.”

Earlier that day, blockchain security company PeckShield rang the alarm bells after it discovered that an exploiter had bridged the stolen funds, valued at some ETH 4,048, or about $7.5 million at that time, to Ethereum.  

The available data indicates that the hacker used a loophole in the protocol’s code to carry out a flash loan.

In a subsequent tweet, the protocol said that its cooperation with security experts, bridges, and exchanges has enabled the team to identify “promising leads, and one in particular.”

“We hope the attacker will *voluntarily* cooperate – before they have no choice but to once we pass their info,” according to the protocol. 

On May 29, the hacked protocol tweeted its offer to the suspected hacker, declaring that it was open to reaching a mutually satisfactory understanding with them, as Jimbos Protocol’s team “don’t want anyone’s lives ruined, but given no choice, we will do what we say.” The offer comprises both a carrot and a stick. 

“To the attacker: keep a fast $800k payday, and live to tell the tale. We won’t pursue you if you send back the 90%. But if you don’t, we won’t stop until you’re behind bars,” Jimbos Protocol said in a tweet in which it also invited the hacker to communicate with the protocol via a secure e-mail address. 

The Euler Finance hack saw the protocol fall victim to a flash loan attack in March 2023, causing the loss of around $200 million worth of digital assets. However, in a surprising development, the exploiter has returned a major portion of the stolen funds to the hacked protocol.

Jimbo Protocol’s official site states “$JIMBO is designed to work as an ERC-20 token with a semi-stable floor price. $JIMBO runs autonomously from day 1, with everything fully functional. There will be no future updates or changes to $JIMBO after it launches.”