Jimbos Protocol Loses $7.5M in Ether Due to Security Breach, JIMBO Token Value Plummets

Security breach in Jimbos Protocol, a liquidity protocol operating under the Arbitrum system, resulted in a significant loss of 4,000 Ether (ETH), approximately worth $7.5 million, on May 28. Blockchain security firm, PeckShield, discovered the breach, highlighting the critical need for enhanced security measures in cryptocurrency platforms.

The hacker reportedly exploited a loophole in the lack of slippage control on liquidity conversions in the Jimbos Protocol system. This security gap allows for an inequality in the protocol’s liquidity investment within the price range, providing an opportunity for attackers to manipulate swap orders for personal profit.

Launched less than three weeks ago, Jimbos Protocol was created to mitigate issues surrounding liquidity and token price volatility through a new testing approach. Despite its promising intent, the protocol’s mechanism was not sufficiently developed, presenting a logical vulnerability that ultimately exposed it to cyber threats.

In the wake of this security breach, the value of the protocol’s underlying token, Jimbo (JIMBO), has seen a sharp decrease, dropping by 40%, as revealed in a tweet by PeckShield.

” #PeckShieldAlert $JIMBO has dropped -40%”

The attacker transferred the stolen token, worth around $7.5 million, to Ethereum. The funds are currently located at the Ethereum address listed on Etherscan.io. “#PeckShieldAlert The @jimbosprotocol exploiter has bridged the stolen funds (4,048 $ETH valued at ~$7.5M) to Ethereum and they are located at https://etherscan.io/address/0x5f3591e2921d5c9291f5b224e909ab978a22ba7e”

The impact of this security breach echoes the imperative for robust security systems within cryptocurrency platforms, particularly those newly launched. As the aftermath unfolds, the Jimbos Protocol team will undoubtedly be prompted to review and strengthen their security infrastructure to prevent similar incidents in the future.


Tagged : / / / /

DeFi Hackers Mint $11.6M in Stablecoins

A recent hack in the decentralized finance (DeFi) space allowed an attacker to mint over 1 quadrillion Yearn Tether (yUSDT) from a mere $10,000, according to blockchain security firm PeckShield. The attacker then exchanged the yUSDT for other stablecoins, taking hold of $11.6 million in the process. The stablecoins included 61,000 Pax Dollar (USDP), 1.5 million TrueUSD (TUSD), 1.79 million Binance USD (BUSD), 1.2 million Tether (USDT), 2.58 million USD Coin (USDC), and 3 million Dai (DAI).

PeckShield reported that the hacker has already transferred 1,000 Ether (ETH) to Tornado Cash, a sanctioned cryptocurrency mixer. The blockchain security firm also informed DeFi protocols Aave and Yearn.finance of the situation.

Yearn.finance released a statement after conducting an initial investigation, stating that the issue was limited to iearn, an outdated contract before vaults v1 and v2. The DeFi protocol assured its users that its current contracts and protocols are not affected by the exploit.

Similarly, Aave also confirmed that it is aware of the transaction. The liquidity protocol clarified that the hack did not impact Aave v1, v2 or v3.

While hacks still plague the DeFi space in 2023, the amount of money lost to these incidents has decreased compared with previous years. According to a quarterly report by blockchain security firm CertiK, over $320 million were lost to hacks in the first quarter of 2023. Although this amount is still substantial, it is much lower compared to the first quarter of 2022 when $1.3 billion was lost, and the fourth quarter of 2022 when $950 million was lost to hacks.

Despite the decrease in the amount lost to DeFi hacks, these incidents still serve as a reminder of the importance of security measures in the space. PeckShield’s quick detection of the recent hack and Aave and Yearn.finance’s prompt action in addressing the issue demonstrate that the DeFi space is continuously improving its security measures.

As the DeFi space grows, it is likely that there will be more attempts to exploit vulnerabilities in the system. However, with increased awareness and investment in security measures, the space can continue to thrive and offer innovative solutions to traditional finance.


Tagged : / / / / /

Tornado Cash Used to Siphon $500k from Hacked DAO Maker – PeckShield

Blockchain Security Company PeckShield and Crypto Security Specialist, CertiK have announced that a hacker laundered $500,000 DAI stablecoins via Tornado Cash.


The leading crypto security firms disclosed via a Twitter post that the laundering is connected to an Ethereum wallet address suspected of a similar exploit in 2021. 


Meanwhile, DAO Maker, a crypto funding website, experienced a hack on its website in August 2012. The hack happened as a result of a bug on the platform smart contract. More than $7 million worth of stablecoins was carted away by the hacker. The siphoned funds were disbursed to addresses authorized by the hacker. 


A few months after the event happened, one of the addresses that were flagged by Etherscan as one of the exploiters of DAO Maker transferred $500,000 worth of DAI stablecoins through Tornado Cash. Hackers often funnel stolen assets through Tornado Cash because it allows them to obscure the transactional activity. 


OFAC Sanctions Tornado Cash  


Interestingly, as a result of the United States Treasury Department of Foreign Assets Control, (OFAC), the sanction of Tornado Cash made headlines recently. As a result of the sanctions, the application is not accessible to any US-based persons or organizations due to its potential for money laundering.


No real change has occurred, even though the government has pronounced sanctions on individuals that violate the sanction. The application has not ceased to experience usage by hackers of decentralized finance protocols, as seen on Thursday and in other recent happenings. 

On August 19, blockchain security firm PeckShield revealed that an address connected to a December 2021 Grim Finance scam had transferred about $3.3 million into Tornado Cash. Subsequently, on September 6, the MonoX Finance scammer utilized Tornado Cash to launder $2.1 million


Initially, Tornado was developed with the intention of protecting the privacy of Ethereum users, but it has now been compromised by hackers who laundered money through the platform illegally.

As per a study by the United States Treasury Department, since Tornado’s establishment in 2019, nefarious criminals, including North Korea’s Lazarus crime syndicate, have exploited it to transact more than $7 billion worth of cryptocurrency.

Image source: Shutterstock


Tagged : / / / /

Almost $5m Withdrawn from ZB.com in Possible Hack

Crypto exchange ZB.com has fallen victim to a possible hack as $4.8 million was withdrawn from its hot wallet, according to security firm PeckSheild.


The money was removed after the suspension of withdrawals from ZB.com, PeckShield reported.

The crypto exchange had halted client withdrawals on Tuesday, citing “temporary maintenance” of the platform, following which the suspected hacking incident was executed.

“Due to the sudden failure of some core applications, it still takes time to troubleshoot the problem. Deposit and withdrawal services are now suspended. Please do not deposit any digital currency before recovery,” ZB.com said in a statement.

PeckShield announced on Twitter that over 20 crypto tokens, including SHIB, USDT, and MATIC, were moved from ZB.com’s hot wallet to another address on Tuesday, which later liquidated all but five tokens.

The tokens were then sold on various decentralised exchanges for 2,224 ETH ($3.6 million), and the potential hacker then moved the funds to another address.

ZB.com deals with over $1 billion in trades every day and calls itself “the world’s most secure digital asset exchange.”

Meanwhile, another suspected wallet controlled by the potential hacker still holds around $1 million worth of the remaining five tokens. This wallet contained ZB.com’s funds from where it was first moved.

ZB.com is one of the oldest crypto exchanges. Formerly known as CHBTC.com, the company had to relocate from China after the country banned crypto trading in 2017. ZB.com is now relocated to Zurich, Switzerland, and has offices in Dubai, Malaysia, Singapore, Australia, Russia, South Korea, Hong Kong and the United States.

Hacks in the crypto industry have become rampant. According to a report from Blockchain.News, hackers targeting the Solana ecosystem drained thousands of crypto wallets of funds on Wednesday.

The hack was executed after a flaw was exploited to suck out cryptocurrencies from 8,000 crypto wallets where owners stored their funds, the Solana Foundation announced. The report added that wallet providers, including Slope and Phantom, were also affected.

According to PeckShield, an estimated amount of about $8 million was stolen from four Solana wallets.

While earlier this week, bridge protocol firm Nomad lost around $200 million in security exploit hack. Nomad is a bridge protocol for transferring crypto tokens across different blockchains.

According to a June report from Elliptic, more than $1 billion has been stolen from bridges in 2022.

While in 2020, criminals stole $285 million in crypto from popular exchange KuCoin.

Image source: Shutterstock


Tagged : / / / /

BSC, Ethereum DeFi Projects Hit in $14.4M Hack

Key Takeaways

  • An unknown hacker drained $14.4 million from Dego Finance and Cocos-BCX last night.
  • Dego confirmed the attack in an update and denied that it was an inside job.
  • The nature of the attack suggests that Dego and Cocos-BCX may be run by the same team.

Share this article

An unknown attacker targeted two crypto projects, the Binance Smart Chain-based protocol Dego Finance and Ethereum-based GameFi project Cocos-BCX last night, making off with about $14.4 million worth of digital assets.  

Hackers Bag $14.4M in Latest DeFi Attack 

Dego Finance and Cocos-BCX both suffered an exploit last night.

According to security firm PeckShield, an unknown hacker successfully drained around $14.4 million from the liquidity pools for the projects on Uniswap and PancakeSwap. The incident occurred Wednesday at around 23:30 UTC. The hacker’s Binance Smart Chain currently contains around $9.6 million worth of BNB, Binance-pegged ETH, and other assets, while their Ethereum wallet holds roughly $4.8 million. The majority of the funds were drained from Dego Finance, the better known of the two projects. 

Dego aims to be a “lego” of the decentralized ecosystem, giving users a way to gain exposure to the burgeoning DeFi and NFT niches. It has its own NFT ecosystem and a token called DEGO. Coc0s-BCX is a “GameFi enabler” built on Ethereum. It focuses on supporting emerging GameFi projects through incubating, investing, and community building.

The hacker was able to steal the funds from the projects after a private key was compromised, the Dego team told PeckShield. The team added that the hack was not a “rug pull”—a common practice in the DeFi world in which project teams, usually those who stay anonymous, disappear with investors’ funds or remove liquidity so that the native token price tanks to zero. 

Announcing the exploit on Twitter early Thursday, the Dego team confirmed that it had asked cryptocurrency exchanges to close deposits for its DEGO token in order to prevent the hacker’s ability to profit off their liquidity. In a separate post, the team informed the community that it was working with security teams “to identify the hacker and retrieve loss.” Cocos-BCX, meanwhile, is yet to share an update on the hack through its official channels. 

Following the hack, DEGO crashed. According to data from CoinGecko, it plummeted from $4.50 to $3.81 and is now trading at $4.06 at press time, down about 11.4% on the day. COCOS, the native token for Cocos-BCX, had a milder drop of 3.4%, putting its current trading price at $1.54. 

Commenting on the attacks, PeckShield founder and CEO Xuxian Jiang told Crypto Briefing that it was possible the admin keys for both projects were secured on a single system that got compromised, such as a laptop. If true, this means the two projects may have been run by the same team. However, Crypto Briefing had not received a response at the time of publishing this article to verify the claim.  

The latest DeFi attack comes only a few days after a widely-publicized hack on Wormhole, in which $322 million in ETH was stolen from the Solana to Ethereum bridge. The $322 million loot made it the second biggest DeFi attack ever.

Disclosure: At the time of writing, the author of this piece owned ETH and other cryptocurrencies.

Share this article


Tagged : / / / / / /

PeckShield Says It’s Found 55 Rogue Projects on Binance Smart Chain

Key Takeaways

  • PeckShield has identified 55 “rug-potentials” on Binance Smart Chain.
  • The security firm warned that the teams behind the listed tokens could mint unlimited tokens, blacklist accounts, and restrict users from selling.
  • Rug pulls been a frequent occurrence on Binance Smart Chain in recent months.

Share this article

Security firm PeckShield has put out a list of 50 potential scam projects on Binance Smart Chain.

PeckShield Identifies Suspicious BSC Projects

PeckShield has published a list of 55 “rug-potentials” on Binance Smart Chain. 

After analyzing smart contracts of 55 early-stage tokens run by anonymous teams, PeckShield detected malicious functions that let administrators mint unlimited tokens, blacklist accounts, and block holders from selling their tokens. As such, it concluded that the projects may execute a so-called “rug pull” on their investors. “Rug pull” is a popular term used to describe crypto exit scams in which teams abandon projects or sell tokens on exchanges and disappear with investors’ funds.

PeckShield listed the projects it had identified in a Thursday tweet. The firm highlighted that the smart contracts for the tokens are designed in such a way that users can buy but not sell their holdings, creating a “honeypot” scenario. Tokens that employ a honeypot mechanism typically rise in value as more investors buy in before they find out that they cannot liquidate their positions. The token creator can then pull the rug and run off with the funds. Several scam projects have adopted a honeypot strategy to steal investors’ funds in recent weeks. In one high-profile case, a project styling itself on the hit Netflix show Squid Game launched a token called SQUID on Binance Smart Chain. It rallied thousands of percent in a few days before plummeting to zero when the team pulled the rug, making off with about $12 million. 

PeckShield told Crypto Briefing that it “decided to warn the community earlier rather than later” following a discussion with the team at Binance Smart Chain. Discussing how the listed tokens share common issues, PeckShield explained:

“Each token owner’s authority is too large and most of these tokens have too few sellers. Moreover, when interacting with PancakeSwap, the selling may be restricted.”

The good news is that 54 of the 55 flagged projects do not have active users or value locked on them. One token using the ticker symbol TRUMP has some on-chain activity and about $29,500 in liquidity on PancakeSwap. The TRUMP token has about 271 holders and has recorded a trading volume of $144,860 over the course of last week. 

In a separate tweet, PeckShield warned Binance Smart Chain users against trading TRUMP. The post described it as a “high-risk token” because it lets the owner mint unlimited tokens. Crypto Briefing investigated the project and could not source the team’s team, website, or social media channels.

Rug pulls have been a recurring problem for Binance Smart Chain users in recent months. In addition to Squid Game, several other scam projects launched on the network in 2021, resulting in users losing millions of dollars worth of funds. Among the biggest attacks involved TurtleDex and MetaDAO, which respectively stole $2.4 million and $3.2 million from their users.

The trend has continued into 2022, too. The security firm RugDoc reported Wednesday that multiple Binance Smart Chain tokens had “rugged” users after launching Initial DEX Offerings on the network. While Binance Smart Chain has hosted many malicious crypto teams, it’s not the only network that’s seen a wave of rug pulls. As the crypto space has grown, Ethereum has become a hub for similar incidents. Most recently, an anonymous team called EtherWrapped lured Ethereum users in with a fake New Year’s Eve airdrop then pulled the rug. They made off with 30 ETH. 

Disclosure: At the time of writing, the author of this piece owned ETH, and other cryptocurrencies.

Share this article


Tagged : / / / / / / /

Cream Finance Loses $25 Million To A Flash Loan Attack

PeckShield reported through a tweet of the new hack on Cream Finance. The blockchain security company said a flash loan attack on the decentralized finance lending and borrowing protocol.

PeckShield explained that the hacking came through a 500 Ethereum flash loan from the attacker. This was used to infiltrate a reentrancy bug in the smart contract of the Flex Network. Usually, flash loans being undercollateralized can be borrowed and repaid within a single transaction.

5 BTC + 300 Free Spins for new players & 15 BTC + 35.000 Free Spins every month, only at mBitcasino. Play Now!

Related Reading | Cryptocurrency Firms In Switzerland To Offer Tokenized Products On Tezos

As a DeFi protocol for lending, Cream Finance allows users to earn interest from their deposited assets. Though Cream Finance is a fork of the Compound protocol, its operation is quite different from Compound or Aave. The platform has several more markets for some esoteric digital assets.

Get 110 USDT Futures Bonus for FREE!

This attack on Cream Finance was exploitation involving 1,308 Ethereum and over 418 million AMP, the native token of Flexa Network. According to PechShield, the Ethereum records reveal that over $6 million were hacked at 5:44 UTC.

Cream Finance Becomes Another DeFi Protocol Hacked In 2021

Furthermore, the Cream Finance team members confirmed the authenticity of the hacking reporting. Then, reporting on Discord Channel, the project’s official channel, the members started working with PeckShield.

The team revealed that the hacking was on the CREAM v1 market on the Ethereum Blockchain. Furthermore, they mentioned that it’s through the reentrancy of the contract on the AMP token.

At the time of writing, AMP’s value has dipped by 15% within few hours to $0.05. Also, the value of Cream Finance’s native token, CREAM, plummeted by about 6%.

However, ETH is at $3, 190.46 showing a slight dipping within the last 24 hours. The total amount of the Crean Finance hacking is more than $25 million. The address of the hackers shows that they presently have about $18.8 million.

 Cream Finance Loses $25 Million To A Flash Loan Attack

 Cream Finance Loses $25 Million To A Flash Loan Attack

Amidst the hack, Cream Finance is down by 6% | Source: CREAMUSD on TradingView.com

The Cream Finance team has put a stop to any further loss. The team said that it now has a pause on AMP’s supply and borrow. It further acknowledged that the hack doesn’t affect any other market. Eason Wu, the protocol’s production Manger, disclosed this information on Discord.

Recall that earlier in the year; Cream Finance had a huge hack. The attack led to the loss of $37.5 million worth of digital assets. According to the report, the earlier hacking had a root cause from the exploitation of Alpha Finance.

Related Reading | Reports Show 45% Surge In Stock And Cryptocurrency Sign-Ups Across Rural Areas In India

Flash loans have remained one of the controversial features of decentralized finance. This’s because there’s no collateral needed for the loans, and hence, they are susceptible to hacks. This accounts for the recent attacks and hacks of flash loans.

A similar incident is a hack on the Bilaxy crypto exchange on August 28. The exchange had a huge hot wallet hack that compromised about 295 ERC-20 tokens. Also, a hack on Liquid on August 19 resulted in a loss of about $100 million.

Featured image from Pixabay, chart from TradingView.com


Tagged : / / / / / / /
Bitcoin (BTC) $ 26,562.12 0.41%
Ethereum (ETH) $ 1,632.85 0.86%
Litecoin (LTC) $ 64.21 0.84%
Bitcoin Cash (BCH) $ 235.53 2.99%