QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JULY 2022
GLOBAL
IMPERMAX FINANCE
DESCRIPTION OF EVENTS
Impermax is a decentralized finance (DeFi) platform designed specifically for market makers, offering innovative solutions through a lending protocol that allows users to borrow against their liquidity provider (LP) positions. The platform aims to provide users with a balanced risk/reward experience and the ability to optimize their investment profiles. Key functionalities include earning protocol-based rewards through holding its native token, IBEX, and enabling users to lend tokens for low-risk yield opportunities.
Security is a top priority for Impermax, with its code audited by BailSec and Guardian Audit. It also features a $100,000 bug bounty program hosted by Hacken Proof to incentivize ongoing security improvements. The platform has already seen significant adoption, reaching a total value locked (TVL) of $250 million across various entities utilizing its codebase. Its code is protected under a Business Source License, particularly for its third version, Impermax V3.
Impermax positions itself as a driver of innovation in the DeFi space by introducing the first permissionless protocol that allows users to leverage LPs. The platform encourages community involvement through its Discord channel and provides extensive educational resources via documentation, FAQs, and a blog. Users can stake IBEX, explore its features, and engage with the ecosystem through the official app and social media channels.
It would appear that there was a critical vulnerability in key management in the Impermax Finance protocol.
A hacker stole approximately 9 million IMX tokens by compromising private keys of team-controlled wallets.
One exploit transaction on Polygon: 0xba85de347aee0c628d63926c28e535612157f8fb775f4233f56118b184c668e9
A hacker stole approximately 9 million IMX tokens by compromising private keys of team-controlled wallets.
In response to the security breach, Impermax Finance acted swiftly to mitigate damage and protect its users. Upon discovering that a hacker had stolen the private keys to several team-controlled wallets and made off with around 9 million IMX tokens, the team immediately attempted to transfer assets out of the affected wallets. Although the hacker succeeded in stealing a substantial amount of IMX and protocol-owned liquidity, Impermax’s quick detection and reaction prevented further losses.
One of the most critical steps Impermax took was a strategic move to frontrun the hacker. Realizing that a mass sale of the stolen tokens could crash IMX’s price and severely harm liquidity providers (LPs), the team proactively sold a large portion of their own tokens first. This maneuver not only preserved some market value but also allowed them to recover part of the funds from the hacker’s liquidity. These recovered funds are earmarked for refunding LPs in the coming weeks.
Importantly, Impermax reassured its community that the core lending protocol remains safe and fully operational, emphasizing that the attack resulted from compromised keys, not a smart contract flaw. To address the compromised IMX token, the team proposed a recovery plan involving a token swap. A snapshot taken before the attack will be used to fairly distribute a new token to previous IMX holders, including those who were staking, lending, or providing liquidity at the time. Impermax is using this opportunity not just to recover but to improve its ecosystem, with open community discussions about enhancing tokenomics and future governance mechanisms.
Impermax Finance successfully executed a recovery plan that included a token swap from IMX to a new token, IBEX, and refunded affected users. Users who held, lent, or staked IMX before the incident received IBEX on a 1:1 basis, while liquidity providers were additionally compensated with ETH refunds for their lost liquidity. A total of 87.25 million IBEX became the new effective supply after unclaimed tokens were burned.
Following the July IMX incident, Impermax Finance initiated a comprehensive recovery plan aimed at fully compensating affected users. The core of this plan was a token swap, replacing the compromised IMX token with a new token, IBEX, distributed based on a snapshot taken just before the attack. Users who were holding, staking, lending, or had pending rewards in IMX at that time received IBEX at a 1:1 ratio. Additionally, the team accounted for purchases made shortly after the snapshot but before the public announcement of the hack.
Liquidity providers (LPs), who were among the most impacted, received both IBEX and ETH refunds. The IBEX distribution matched the IMX amounts they had provided, while ETH refunds compensated for the ETH (or ETH-equivalent) liquidity they had exposed. The refund calculations were based on net balances and capped to each LP’s actual equity, ensuring fair and accurate compensation.
In total, Impermax allocated 100 million IBEX tokens, split across liquid, vested, manual transfer, and burnt categories. Of this, 51.75M IBEX were immediately claimable, 34.78M were converted into vested tokens, 0.72M were manually distributed, and 12.75M were burned, reducing the effective supply to 87.25M. The project also refunded 23.81 ETH to LPs and used 33.07 ETH to seed IBEX’s initial liquidity. Ultimately, Impermax’s actions reflect a structured effort to restore user trust and ensure that no one affected by the hack was left behind.
Although some manual claims and community discussions are still ongoing, the majority of affected users were made whole, and the protocol itself remained secure and fully functional.
Yes, affected users were largely made whole through a well-structured compensation plan implemented by Impermax Finance. Following the IMX security breach, the team introduced a new token, IBEX, to replace the compromised IMX. A snapshot was taken just before the incident, and users who held, staked, lent, or had pending rewards in IMX at that time received IBEX at a 1:1 ratio. This ensured that the majority of users retained the value of their holdings. The airdrop was executed via a MerkleDistributor contract, allowing eligible users to claim their new tokens transparently.
Liquidity providers (LPs), who experienced the most significant losses—both in IMX and in the ETH or other assets they had supplied—were also compensated. IBEX was distributed to match the IMX they had provided as liquidity, while ETH refunds were calculated based on their net exposure at the time of the snapshot. This included a detailed assessment of provided assets and any associated debt. Impermax used a portion of the recovered ETH from the hacker to fund these refunds, and also allocated additional ETH to provide initial liquidity for IBEX trading.
While no recovery plan is perfect, the measures taken by Impermax covered most impacted users comprehensively. Even unclaimed IMX tokens were accounted for—burned to reduce the total supply of IBEX and maintain its value. Although some users reported confusion or issues around the claim process, and manual intervention was needed in a few cases, the majority of users were effectively restored to their pre-incident positions. Overall, Impermax’s response successfully upheld its goal of making users whole and rebuilding trust within its community.
There is an ongoing manual distribution of IBEX tokens and ETH refunds for certain users, particularly those with more complex wallet setups or unresolved claims. Additionally, community governance discussions and updates to tokenomics—such as improvements in farming rewards, cross-chain compatibility, and broader ecosystem development—are still in progress. Ongoing user support and communication are also necessary, as some users continue to seek clarity or assistance with their allocations.
Several parts of the Impermax Finance IMX incident remain ongoing despite the completion of the primary recovery efforts. One key area is the token claim process for certain users. While the IBEX airdrop was distributed through a MerkleDistributor contract for most users, those with tokens held in smart contracts or less common wallet types may still require manual transfers. Some affected users also reported that they had not received their IBEX tokens, either due to missing the snapshot or being unaware of the claim process. These cases indicate that some users’ situations remain unresolved and may require continued support or additional claim opportunities.
Another ongoing aspect involves the full distribution of ETH refunds to liquidity providers. Although a portion of the recovered ETH was already used to repay bad debt and begin the refund process, additional ETH was allocated to compensate LPs and leveraged LPs for their exposure. The distribution of these funds depends on precise on-chain calculations, and ensuring all eligible users receive the correct amount may still be in progress or dependent on further actions from recipients.
Beyond the immediate recovery, Impermax is also continuing its governance and tokenomics overhaul. The shift to IBEX was not just a remedy for the hack, but also a chance to address previous issues in the ecosystem, such as farming reward structures, cross-chain support, and ticker-related updates. These initiatives are being discussed with the community, particularly in the project's Discord, and are part of an ongoing process to improve the platform’s foundation and resilience moving forward.
Lastly, user communication and support remain essential ongoing needs. Some users expressed confusion or frustration after the incident, particularly regarding eligibility for the IBEX airdrop or the state of their IMX holdings. Impermax must continue to provide clear information and responsive support to ensure that all affected users are either made whole or understand why they may not be eligible. This continued engagement is critical to restoring trust and ensuring long-term community stability.
Impermax Finance is a decentralized lending protocol designed for market makers to borrow against their liquidity provider (LP) positions, offering balanced risk/reward opportunities and protocol rewards via its native token, IBEX. Despite rigorous security measures—including audits and a bug bounty program — a hacker was still able to compromise private keys of team wallets, stealing around 9 million IMX tokens and significant protocol liquidity. Impermax responded swiftly by frontrunning the hacker’s potential sell-off to protect liquidity providers and initiated a comprehensive recovery plan involving a token swap from IMX to IBEX, distributing new tokens based on a pre-incident snapshot. Liquidity providers received both IBEX and ETH refunds, with unclaimed tokens burned to reduce supply. While most users were compensated and the protocol remained secure, some manual claims and community governance improvements remained ongoing to fully restore and strengthen the ecosystem.
Impermax Finance - "Following an incident a hacker was able to steal a large amount of $IMX. DON'T BUY OR SELL $IMX (Impermax)! PROTOCOL USERS' FUNDS ARE SAFE. Impermax protocol wasn't affected in any way by this incident and keeps working as usual. If you're a $IMX liquidity provider we strongly advise you to withdraw your $IMX liquidity from the market to avoid losses. We will follow up in a couple hours with an announcement explaining what's happening in detail and a recovery plan." - Twitter/X (May 26)
Impermax Finance - "An update on what exactly happened and our plan moving forward." - Twitter/X (May 26)
Impermax Finance - "The date is set $IBEX launch will be on September 30th at 12pm UTC For more info read the full announcement" - Twitter/X (May 26)
Impermax Finance - "After a month of on-chain analysis we are finally ready to share the allocations for our upcoming $IBEX launch!" - Twitter/X (May 26)
Impermax Finance Homepage (May 26)
IMX incident: post mortem and recovery plan - Impermax Finance Medium (May 26)
The Power of Indirect Liquidity Providing - Impermax Finance Medium (May 26)
IMX Incident: Refund Allocations - Impermax Finance Medium (May 26)
Detailed Impermax Finance Crypto app Review by DeFi Teller (May 27)
Original Transaction At Exploit Time - PolygonScan (May 27)
Transaction Moving The IMX Tokens - PolygonScan (May 27)
Term Finance Recovers $1 Million After Oracle Error Causes $1.6 Million ETH Loss - Bitcoin Ethereum News (May 27)
