QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$300 000 USD
APRIL 2025
GLOBAL
IMPERMAX FINANCE
DESCRIPTION OF EVENTS
Impermax is a decentralized finance (DeFi) platform designed specifically for market makers, offering innovative solutions through a lending protocol that allows users to borrow against their liquidity provider (LP) positions. The platform aims to provide users with a balanced risk/reward experience and the ability to optimize their investment profiles. Key functionalities include earning protocol-based rewards through holding its native token, IBEX, and enabling users to lend tokens for low-risk yield opportunities.
Security is a top priority for Impermax, with its code audited by BailSec and Guardian Audit. It also features a $100,000 bug bounty program hosted by Hacken Proof to incentivize ongoing security improvements. The platform has already seen significant adoption, reaching a total value locked (TVL) of $250 million across various entities utilizing its codebase. Its code is protected under a Business Source License, particularly for its third version, Impermax V3.
Impermax positions itself as a driver of innovation in the DeFi space by introducing the first permissionless protocol that allows users to leverage LPs. The platform encourages community involvement through its Discord channel and provides extensive educational resources via documentation, FAQs, and a blog. Users can stake IBEX, explore its features, and engage with the ecosystem through the official app and social media channels.
Impermax Finance V3 protocol unfortunately contained a complex price manipulation exploit.
The exploit took advantage of how Impermax V3 calculated collateral using uncollected fees, which were valued too generously relative to compounded fees. The attacker executed the following steps:
1) Took a large flash loan via Balancer.
2) Created a position on a Uniswap V3 pool with low liquidity to maximize control.
3) Manipulated the price (tick) to skew the position's balance.
4) Performed dozens of swaps to generate excessive uncollected fees, mostly on one side of the pool.
5) Used these inflated uncollected fees as collateral to borrow funds.
6) Auto-compounded the fees back into the position at an incorrect tick, reducing its true value.
7) Reset the tick to extract the misvalued collateral.
8) Closed the position using restructureBadDebt, effectively diluting lender assets.
The attacker was able to repeat this process to siphon off all available liquidity and ensure they could extract funds before legitimate lenders, creating ongoing risk in the protocol until full remediation occurs. The root cause was a misaligned valuation logic between types of collateral, which enabled this abuse of the system’s internal safety margins.
Impermax found as of April 28th, that $300k was lost. Impermax estimates that the total loss will be around $400k. SlowMist reports the amount of loss as $152,200, which appears to stem from a preliminary report by TenArmorAlert.
While acknowledging the severity of the incident, Impermax noted that the scale of losses ($400,000 total estimated) was modest compared to major DeFi hacks. Despite the setback, Impermax affirmed its commitment to rebuilding and securing the platform.
SlowMist: "Impermax was attacked on the Base network. In a tweet, Impermax stated that someone launched a flash loan attack and drained its V3 liquidity pools. The team is currently investigating and advises users not to interact with any V3 pools."
Following the flash loan attack on Impermax V3, the team has initiated a recovery plan. They are working to stabilize the situation and plan to reimburse affected lenders based on a snapshot taken before the exploit. The reimbursement details, including proportions and timelines, are yet to be determined. The team remains committed to addressing the issue and restoring confidence in the protocol.
Following the flash loan exploit on April 26, 2025, which drained approximately $152,000 from Impermax's V3 liquidity pools on the Base network, the team initiated a comprehensive recovery plan. They advised users to refrain from interacting with any V3 pools until further notice. The exploit was attributed to a discrepancy in the valuation of uncollected fees used as collateral, which the attacker exploited through a series of strategic actions, including creating a position with inflated uncollected fees and leveraging them to borrow assets.
In response, Impermax implemented a bad debt rebalancing system to prevent underwater positions by socializing the bad debt across borrowable pools. They also introduced debt ceilings as an additional risk-mitigation feature and began supporting custom oracles, including Chainlink and TWAP, to enhance safety. The team emphasized their commitment to stabilizing the situation and reimbursing affected users based on a snapshot taken prior to the exploit. While the final loss was estimated to be around $400,000, the team expressed determination to recover and strengthen the protocol moving forward.
The team emphasized resilience and continuity, stating they would not abandon the project and expressing confidence in their ability to return stronger after addressing the incident. This phased approach—immediate containment, followed by assessment and eventual compensation—reflects Impermax's intent to preserve user trust and long-term viability despite the $300K–$400K loss.
Following the Impermax V3 exploit, the Impermax team committed to a recovery plan aimed at compensating affected users. The primary strategy involved taking a snapshot of user balances immediately before the attack, which would serve as the basis for distributing recovered or replacement funds. Users were explicitly advised not to close or reduce their borrowing positions to avoid triggering the release of vulnerable capital while the situation was being contained.
Although the team did not provide a precise timeline or percentage for reimbursements, they assured the community that their top priority was to stabilize the protocol and minimize further losses. Once the exploit had been addressed and potential additional threats mitigated, they planned to focus on determining fair and feasible reimbursement mechanisms based on the snapshot.
Impermax has advised borrowers not to repay or close positions until remediation is complete, as doing so may release additional at-risk capital. The team is actively working to stabilize the situation, pledging to eventually distribute recovered funds to affected lenders based on a pre-hack snapshot. While this is a significant setback, Impermax emphasized its resolve to recover and improve, characterizing the estimated $400,000 total loss as manageable within the broader context of DeFi security challenges.
Impermax is a DeFi platform that enables users, particularly market makers, to borrow against their liquidity provider (LP) positions, offering risk-balanced yield opportunities and protocol rewards through its native IBEX token. Despite strong security measures—including audits and a bug bounty program—the Impermax V3 protocol suffered a complex flash loan exploit that manipulated the valuation of uncollected fees used as collateral. The attacker used a sequence of actions to inflate collateral value, borrow assets, and drain liquidity pools, resulting in estimated losses around $400,000. Impermax immediately advised users not to interact with V3 pools and implemented emergency controls such as bad debt rebalancing, debt ceilings, and support for safer oracles. The team plans to reimburse affected users based on a snapshot taken before the hack but has yet to specify timelines or exact amounts.
Impermax Finance - "Less than one hour ago, someone executed a flash loan and drained our V3 pools. We are currently investigating. Please do not interact with any V3 pools. We are very sorry for that. We will provide a post-mortem when the full verification is done" - Twitter/X (May 26)
Impermax Finance Homepage (May 26)
Impermax V3 Exploit: Post Mortem - Impermax Finance Medium (May 26)
Impermax V3 Core: everything you need to know - Impermax Finance (May 26)
Impermax Finance Documentation (May 27)
Exploit Transaction From Postmortem - BaseScan (May 27)
TenArmorAlert - "Our system has detected multiple suspicious attacks involving #Impermax @ImpermaxFinance on #BASE, resulting in an approximately loss of $152.2K so far." - Twitter/X (May 27)
Exploit Transaction From TenArmorAlert - BaseScan (May 27)
https://x.com/TenArmorAlert/status/1916089811770675312 (Aug 5)
