Jimbos Protocol, a liquidity protocol within the Arbitrum ecosystem, was hit with a flash loan attack over the weekend that led to the loss of 4,000 Ethereum (ETH) tokens approximately worth $7.5 million.
According to blockchain security firm PeckShield, the attacker appears to have exploited a flaw in the protocol's code to carry out a flash loan. The hacker took advantage of the lack of slippage control on liquidity conversions in the Jimbos Protocol system that allowed them to execute reverse swaps for a profit.
The attackers withdrew 4,090 ETH from the Arbitrum network and subsequently used bridges such as Stargate and Celer Network to convert approximately 4,048 ETH into the Ethereum network, PeckShield said.
Jimbos Protocol has confirmed the incident on its official Twitter page and said it has launched an investigation into the issue. On May 28, Jimbos’ team offered the exploiter behind the attack to keep 10% of the stolen funds and return other 90%, or the team “won’t stop” until the attacker is “behind bars.” A day later the team announced it had “identified promising leads, and one in particular” that may allow Jimbos to identify the attacker.
“Over the past 24 hours, we’ve been working with security experts, bridges, and exchanges. Thanks to their help, we’ve identified promising leads, and one in particular. We hope the attacker will *voluntarily* cooperate - before they have no choice but to once we pass their info,” the team said.