back to article 1. This crypto-coin is called Jimbo. 2. $8m was stolen from its devs in flash loan attack

Just days after releasing the second – and supposedly more stable and secure – version of its decentralized finance (DeFi) app, Jimbos Protocol over the weekend was hit by attackers who stole stole 4,090 ETH tokens from the project worth about $7.5 million. The developers behind the Arbitrum-based app were the apparent victims …

  1. Sorry that handle is already taken. Silver badge

    It's not a "hack"

    Crypto goons keep telling us "code is law". Well, the code allowed this. Nothing that happened here was against the system's rules.

    And now they want to go crying to the jackbooted statist thugs. I thought all of this nonsense is supposed to evade the authorities (it never does, they're just dumb enough to think it does).

    Thanks for the entertainment, Jimbo!

    1. Dr Dan Holdsworth

      Re: It's not a "hack"

      If they're going with the "Code is law" stance and their code permitted these actions, then the attacker may well be working on the same basis. If they claim that code is law and whatever the code permits is legal then the attacker might very well argue that whilst it might be seen as an abuse of their system, it was a completely legal action and thanks for the extremely easy profit.

    2. tmTM

      Re: It's not a "hack"

      All the attacker needs to do is sit on the coins and wait for these idiots to go bust, then launder the proceeds.

      Unless they were silly enough to be doing this under their own name/IP address. Then the offer of $800K is extremely enticing.

    3. Sorry that handle is already taken. Silver badge

      Re: It's not a "hack"

      Also apologies to the cryptographers. We should reject "crypto" as an abbreviation of "cryptocurrency" and just use the whole word.

      Arguably "cryptocurrency" is an awful malapropism all of its own.

    4. simonlb

      Re: It's not a "hack"

      The miscreants then exploited a vulnerability in the JimboController contract

      Semantically, how is this any different to someone using a tax loophole to avoid paying tax?

      1. Doctor Syntax Silver badge

        Re: It's not a "hack"

        Tax avoidance is legal, tax evasion isn't. So, yes, if the alleged hack is legal then it is semantically equivalent.

        1. This post has been deleted by its author

  2. Kevin McMurtrie Silver badge


    This seems to be basic science and physics that was missed: Any negative feedback loop with a time delay may be unstable without feedforward compensation and/or input filtering. In most cases it's too much change over time that causes instability. Buggy software can take it a step further by allowing concurrency to push the delta/time ratio to nearly infinity.

    1. Sceptic Tank Silver badge

      Re: Con-currency

      That is precisely what I though.

      Where's Paris Hilton when you need an icon?

      (Icon picture, I mean)

    2. Doctor Syntax Silver badge

      Re: Con-currency

      Please don't go into crypto-currency land waving reality about like that. You won't be welcome, or, more likely, you won't even be understood.

  3. Anonymous Coward
    Anonymous Coward

    Police pretending

    To investigate a pretend currency.

    We will all pretend to be concerned.

    1. David 132 Silver badge
  4. Dinanziame Silver badge

    I'm confused

    I'm not sure what happened that was illegal here? It appears that these people have set their own algorithms to buy and sell their own token, unsupervised, at variable prices. Somebody came up with a better algorithm to do the same thing and made a mint. What's the crime? It's like having a good day on the stock market.

    1. Doctor Syntax Silver badge

      Re: I'm confused

      But, but, but .... It's so UNFAIR.

  5. Anonymous Coward
    Anonymous Coward

    Kleptocurrency working as designed?

    Oh, no, the magic beans are gone!

  6. LybsterRoy Silver badge

    I know I'm old and past it (72) but is it only to me that the article reads like gibberish. I made more sense out of the one on the Higgs-Boson and my physics days are further behind me (think school) than my computing ones.

    1. emfiliane

      It's not just you; most cryptobro and especially DeFi jargon is extra dense to cover for the fact that most of it is smoke and mirrors, and the part that's not is mostly just a harder way to do something we already did just fine. The more they can baffle you with bullshit, the easier they can pick your pocket.

      1. r-d

        Ah, the age-old refrain about anything related to cryptocurrencies: “It can’t be that stupid, you must be explaining it wrong.”

      2. Doctor Syntax Silver badge

        "The more they can baffle you with bullshit, the easier they can pick your pocket."

        Or in this case, baffle themselves.

      3. Benegesserict Cumbersomberbatch Silver badge

        DeFi: finance so decentralised that no one knows where it went.

    2. Sorry that handle is already taken. Silver badge

      You're not going mad. High energy physics makes far more sense than... whatever this nonsense is.

      As a scam, it is inscrutable by design.

    3. Michael Wojcik Silver badge

      It's not really terribly complicated; it's just that because there are so many flavors of exploits against DeFi, each story tends to be packed with technical details that aren't actually important if you don't care about them. Basically:

      1. Someone borrowed a bunch of (notional) money

      2. They bought a bunch of X

      3. That drove the price of X up

      4. They sold the X back at the inflated price. Here there was some fiddling with a vulnerability in the system to permit this action.

      5. They paid back the loan from step 1 and kept the rest as profit

      The only subtleties are in the fiddly bits of step 4, and the fact that all five steps are completed in a very short period of time.

  7. Potemkine! Silver badge



  8. Critical

    Police are looking into several insiders as potential suspects, including Tommy Tow-Truck and Sammy Steps.

    When will people grow up and accept that the consequence of bad engineering is that bad things will happen?

  9. ComicalEngineer

    I have some shares for sale in an unbeatable South Sea Island investment.

    And Tulips, lots of tulips.

    1. James Anderson

      No buy shares in my Beefsteak Mine -- much kinder to the environment.

    2. Hans Neeson-Bumpsadese Silver badge

      I might take you up on that offer because, you know, the more I hear about this crypto currency thing the dodgier it sounds

  10. tiggity Silver badge

    Interested in whether its illegal

    Flash loans a known potential issue in DeFi (there's even academic papers on it FFS!) - and these methods have been around for ages (the article even refers to similar attacks)

    So no excuses for not implementing methods to deal with this.

    I know in normal stocks "pumping" to inflate stock price is illegal in various ways e.g. "talking up" a stock etc. As (obviously - theres easy cash to be made) its been a scam since the early days of stock markets.

    But no idea what regulations apply to "crypto cash" and whether this is illegal, especially as Flash Loan functionality was deliberately built in as a "feature" . Indeed in "normal" financial trading utilising changes in the relative value of assets is a common feature of financial markets & plenty of high speed connections and computing "grunt" utilised to get an edge in financial trades perfectly legally by the big financial companies.

    1. DJO Silver badge

      Re: Interested in whether its illegal

      But no idea what regulations apply to "crypto cash"

      None, by design - the whole point of crypto-currencies is to circumvent regulatory oversight. It's basically an easy way to launder money and to rip off rubes.

      It's only when the inevitable happens and the people who created the scheme get ripped off themselves do they want some form of regulation. Not even sure if any laws were broken here, they bought cheap and sold dear, it's very similar in principle to "shorting" which is an accepted and legal fiscal technique.

      1. TimMaher Silver badge

        Re: Shorting

        Beat me to it. Damn!

        Have a beer.

      2. iron Silver badge

        Re: Interested in whether its illegal

        I see you bought the crypto bros' lies, plenty of regulations apply to them. See the SEC suing crypto companies for illegal trading practices as an example.

      3. Jon 37

        Re: Interested in whether its illegal

        The design is intended to be "no regulations".

        But actually, in the US, some cryptos are legally considered securities, and some DeFI stuff is securities or futures. (I think all of them are, but the regulators haven't taken that position... Yet).

        Securities are subject to a bunch of rules. They are supposed to be enforced by the SEC. Even though it has done a poor job so far, it has taken some action, and can go after people for things they have done in the past.

        Similarly CFTC and the crypto futures.

  11. Howard Sway Silver badge

    1. This crypto-coin is called Jimbo. 2. $8m was actually wasted on it

    So there are now 25,000 different types of coin listed by these crypto pushers. Presumably when someone this week thinks "you know what, I'm very late to all this, and I've heard about quite a few scams and people losing everything, but I think I'll invest every last cent I have in one" they then go and "do their own research" in time honoured internet fashion, i.e. go down a rabbit hole of crypto-pushing sites and get pushed one way or another into picking one to waste their money on. It'll be either "pick a popular one, it's safe" or "take a risk on a smaller one : you could get rich beyond your dreams". Both options are of course bullshit.

    If the $8m that got wasted on "Jimbo" is taken as a sort of baseline of how much gets blown on even the most obviously shit coin scam, that means at least $200 billion must be tied up all in the small fry, waiting to be stolen or just evaporate away into nothing. What a fucking stupid waste.

    1. David Hicklin Bronze badge

      Re: 1. This crypto-coin is called Jimbo. 2. $8m was actually wasted on it

      But until someone actually converts it into hard $ or £ (or whatever) then it is all virtual vapourcash anyway - none of it is real.

  12. CommonBloke

    Step by step

    Correct me if I'm wrong on the step by step process:

    1- get 10k eth

    2- current ration of eth/shot is 1/100. spend all of it buying random shotcoin.

    3- you now have "the whole supply" of shotcoin

    4- Ratio goes from 1/100 to 1/1

    5- convert shotcoin back into eth. Since this is a direct conversion based on current market price, instead of a buy/sell, it doesn't affect the price.

    6- ???

    7- PROFIT!!

    And that, somehow, is a crime, despite being sold as a feature?

  13. IGotOut Silver badge

    Hold on.

    Isn't this just standard stock market trading?

    Buy low, sell high.

    If you take a loan out to buy low, "forcing" prices up, then selling back at higher cost. Repay loan and profit.

    This Jimbo lot were just idiots for letting it happen so easily.

  14. Anonymous Coward
    Anonymous Coward

    Methinks we need a crypto currency name generator

    Much like the one for faux real ales.

    Hogwarts bukkake

    Gandalfs Memory Stick

    1. Rol

      Re: Methinks we need a crypto currency name generator

      Stewart's Crumbs

      Lee's Funky Bits

      haha. I know what you did there. lol

  15. Boolian

    Stolen Stollen

    Yeah, struggling to seen what was stolen, a share of unbaked cake, a share of the idea of cake. Jimbo.2 wasn't stolen, Ethereum wasn't stolen.


    No wait - they bought Jimbo2-Coin from Jimbo2, with a loan of Ethereum-Coin borrowed from Etherium and sold the Jimbo2-coin back to Jimbo2 in exchange for it's value in Etherium-Coin, and paid Etherium back in Etherium-Coin?

    In between buying the Jimbo2-coin, and selling it back, the 'value' of Jimbo2-coin went up (and presumably went down afterwards) and they shoved the difference (in Etherium-Coin) in their wallet.

    *cough "the value shares can go down, as well as up" - or is it the other way around - meh.

    Well, isn't it Jimbo2 who has the Jimbo2-coin - why are they looking elsewhere?

    Nothing was stolen - maybe there is some kind of regulation against 'pump & dump' manipulating prices -so the perpetrators engaged in a crime, but the crime wasn't theft, was it? Shurely not.

    Same-same with Fiat currency.

    Who set the rate of Jimbo2-coin? The 'Market' or Jimbo2? I think it was Jimbo2... or Jimbo2's automated system - well get the system to put the value up again when no-one is looking...

    If it was 'The market' well, 'the market' can shift the share price up momentarily to cover the difference. ad-infinitum - unless the market doesn't give shit about Jimbo2's woes because 'unregulated man, code is law - no luck'.

    Isn't crypto better suited to clawing back, or freezing 'manipulated money' anyway - isn't it on the Chainz™ Doesn't it have a serial number?

    "These serial numbers are considered 'counterfeit - do not process any transaction with these numbers, any transaction made with them is now void (press enter)

    What about wallets, at least tell me the Chainz™ know what wallet the 'value' went into - can you create, and bin anonymous wallets on the fly all over the place, or can wallets get fingered as ' hot'?

    At least that way, it's not just Jimbo2 trying to get 'value' back - a lot of other traders will be hunting the 'value' of their now void transactions too, and also keeping an eye out for anyone brandishing a wallet that says 'Mean Muthafukka'

    Soooo many rhetorical questions.

    High Finance, and Crypto - buggered if I know how it works - that's why I'm poor.

  16. A. Coatsworth Silver badge

    Why would the attackers return the money?

    And more to the point, why did the guys who pulled these "flash loans" in the past return it?

    Even if the attack falls in a moral grey area, it doesn't sound outright illegal... and if it was illegal, so what? Expecting a scammer to respect the law is a slight contradiction in itself.

    The whole cryptocurrency stuff is baffling to me, and successful "thieves"[1] returning their swag out of the kindness of their hearts is just the cherry on top

    [1] in quotes because I am still not convinced an actual crime took place

  17. Claptrap314 Silver badge


    A bug bounty program with decent returns...

    Yeah, I'm having a hard time finding a broken law here...

  18. Filippo Silver badge

    Like most other posters here, I don't quite understand how this is illegal. If it was stock market, it would be a pump'n'dump scheme, but I really don't think that's illegal for cryptocurrency.

    The only bit that sounds concerning would be that "exploited a vulnerability in the JimboController contract to manipulate the liquidity pool".

    Unfortunately, I don't know what a "liquidity pool" is, I don't know what it was "manipulated" into, I don't know what the "JimboController contract" is (okay, it's a smart contract I guess, but doing what?), I don't know what the vulnerability was, and I don't know how it was exploited.

    So... yeah. Picture me scratching my head.

    1. vogon00

      Head-scratching? This is to do with cryptocurrency and the hubris that goes with it, so it's more appropriate to scratch the other end...

  19. newspuppy

    Jimbo's team bad design does not a make the (ab)user a criminal

    If there actually was design... this could have been minimized. I do not understand how this can make a user of the features into a criminal.

    As many have stated, this was simply shorting the Jimbo utilising the Jimbo's documented features.

    This "CryptoCurrency" idea is attempting to make rules and code for a fully independent and automated system. What could go wrong? If people are worried about AI, then why would they trust cripto which inevitably shall be full of more bugs then an ants nest, with no human oversight.

    Making the user the criminal for a lack of design, bad programming, non existent QA, and taking advantage of an illiquid market is too much.

    Blame everyone but the clowns at fault. Where has responsibility gone to?

  20. Michael Wojcik Silver badge

    "Basic security" consistently fails in this realm

    Steinkamp said "this basic function should never have been able to be executed if the owners of the asset had run basic security and hardening efforts prior to releasing it into the production environment."

    I'm calling bullshit on that. A quick review of Molly White's site shows any number of cases where bugs in "smart contracts" were exploited despite those contracts having been audited by one, or often multiple, security firms that claim expertise in the area.

    No doubt the Jimbo team were lax in basic security; I don't find that hard to be believe at all. But apparently finding all vulnerabilities in smart contracts is a very difficult problem in general, and even (self-appointed) experts are pretty bad at it. This vulnerability might have been caught, but very likely others would not have been.

    I don't think the whole DeFi / smart contract approach is salvageable. Which is no loss, in my opinion.

  21. that one in the corner Silver badge

    Why would the "stolen" coin be returned?

    One theory, but it depends upon whether anyone else is actually buying Etherium "for real", not in some weird game like the "flash loan" - that is, how fast can one actually sell 4k ETH for real cash and be rid of them?

    If that is likely to take some time (because you are waiting on new suckers to enter the game with their real USD for weird ETH) then the incentive for "giving back" 90% of the 4k ETH is simple blackmail on the part of Jimbo:

    "If you don't give us the ETH then we'll just explain to the world that *exactly* how this whole charade has been fleecing everyone and the whole thing will collapse! You'll be left with ETH that can't even be used to wipe your bum (even Weimar Papiermark could do that) and you'll still have paid out the fees for the flash loan! You lose! Yes, we'll burn the whole thing down just to screw you over for those fees! We don't care, all the important people in cryptocurrency have skimmed their nestegg: we knew it wasn't going to last forever."

  22. Anonymous Coward
    Anonymous Coward

    The protocol owners don't get to decide...

    As the Avraham Eisenberg/Mango Markets thing proved, it's not in the power of the protocol owners to offer this deal of "you keep 10% and it isn't a crime". If it was a crime (eg market manipulation or one of the many possible vaguely defined computer crime/wire fraud things that are out there) then even if they say the "attacker" can keep 10%, the officials can and will go after the perps. That's what happend to Eisenberg.

    If it's not a crime and a legitimate financial arbitrage then there's no reason for the "counterparty" to give them a dime. Either way the folks who did this are all in at this point. Their only real option is to hang on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like