Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/jokintheboxethunstakingvulnerability.php}} {{Unattributed Sources}} JokInTheBox Logo/HomepageJokInTheBox is a utility to assist with sandwich attacks and copy sniping, with profits going to the JOK token stakers. A vulnerability in the smart contract allowed a user to unstake their assets multiple times, draining the pool of staked assets from other users...."

2024-09-18T19:41:09Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/jokintheboxethunstakingvulnerability.php}} {{Unattributed Sources}} thumb|JokInTheBox Logo/HomepageJokInTheBox is a utility to assist with sandwich attacks and copy sniping, with profits going to the JOK token stakers. A vulnerability in the smart contract allowed a user to unstake their assets multiple times, draining the pool of staked assets from other users...."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/jokintheboxethunstakingvulnerability.php}}
{{Unattributed Sources}}

[[File:Jokinthebox.jpg|thumb|JokInTheBox Logo/Homepage]]JokInTheBox is a utility to assist with sandwich attacks and copy sniping, with profits going to the JOK token stakers. A vulnerability in the smart contract allowed a user to unstake their assets multiple times, draining the pool of staked assets from other users. This was exploited on June 10th, and the attacker made off with $34k worth of funds. The protocol appears to have moved forward with replacing all lost tokens and it performing a series of buy-backs and token burns to raise the token price.<ref name="slowmisthackedarchive-14374" /><ref name="jokintheboxethtwitter-14390" /><ref name="jokinthebox-14391" /><ref name="jokintheboxdocs-14392" /><ref name="x-14393" /><ref name="chainaegisapp-14394" /><ref name="etherscan-14395" /><ref name="neptunemutual-14015" />

== About JokInTheBox ==
"MEV Bot for Everyone Copy Sniping & AI Social Bot. Enjoy private access to sandwich attacks, copy sniping and Unlock Passive Income through Stacking and Taxes! Empower Revenue Generation and Maximize Daily Engagement with Our Advanced AI-Driven Social Algorithm."

"JokInTheBox stands at the forefront of blockchain innovation. Built on the robust Ethereum blockchain, our project is dedicated to revolutionizing the crypto space with cutting-edge technology and a community-centric approach." "Our MEV Bot is built to be the best in the market. Our developers and mathematicians keep improving it for top performance. It works on many DEXs and pairs, and supports various networks. Best of all, 100% of the profits go to $JOK stakers."

"Enhance social engagements with our AI tools! Use our Telegram Bot for better group chats or have fun on Twitter with our Automated Crypto Trading Bot. Each time you use them, 777 JOK Tokens are burned, making our platform more visible and viral! Our platform uses Advanced Crypto Trading Bot Strategies and High Frequency Crypto Trading to give you the best performance."

"Stake your $JOK Tokens and earn daily income from our MEV Bot and Sandwich Bot. Profits are distributed daily at 00:00 UTC. Enjoy maximized returns with our Algorithmic Crypto Trading and Crypto Transaction Optimization."

== The Reality ==
"Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets."

== What Happened ==
"MEV Bot JokInTheBoxETH was attacked, lost ~$34K."
{| class="wikitable"
|+Key Event Timeline - JokInTheBoxETH Unstaking Vulnerability
!Date
!Event
!Description
|-
|June 9th, 2024 7:39:59 AM MDT
|Malicious Contract Creation
|Initial malicious contract creation.
|-
|June 10th, 2024 6:28:23 PM MDT
|Attack Transaction
|The final transaction which profits 9.834 ETH (~$34k).
|-
|June 10th, 2024 11:32:00 PM MDT
|ChainAegis Analysis
|ChainAegis posts their analysis of the blockchain exploit. They do not, however, link to a specific transaction.
|-
|June 11th, 2024 8:44:00 AM MDT
|JokInTheBoxETH Tweet
|The JokInTheBoxETH team posts to announce compensation for user losses. They plan to airdrop tokens matching what each user staked and lost within 24 hours. Instead of burning 15% of our supply, they'll use those tokens for airdrops and reduce circulating supply through market buybacks. They aim to purchase and burn 110 billion $JOK tokens. They're grateful for their community's support and committed to preventing similar events in the future.
|}

== Technical Details ==
"MEV Bot JokInTheBoxETH was attacked, lost ~$34K. The root cause of the exploit was poorly implemented unstake function fo the staking contract. Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets."

== Total Amount Lost ==
#34k

The total amount lost has been estimated at $34,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
"How are we going to compensate for the loss of our users?
We will airdrop the exact amount of tokens each user staked and lost on the platform within 24h."

"We were planning to burn 15% of the supply.
Instead, we will use that supply to airdrop tokens to our users.
We still want to reduce the circulating supply.
We will regularly buy back from the market and burn.
Than means we are going to buy 110B $JOK token from the market over the time."

"We believe it's a better solution than relaunch.

Our community showed strong support.
We can't thank you enough.
Some might think that it's unfair that some "new whales" took the opportunity to buy that dip.
But they took a huge risk doing it.

We will move forward from here and never let such an event happen again."

== Total Amount Recovered ==
"How are we going to compensate for the loss of our users?
We will airdrop the exact amount of tokens each user staked and lost on the platform within 24h."

"We were planning to burn 15% of the supply.
Instead, we will use that supply to airdrop tokens to our users.
We still want to reduce the circulating supply.
We will regularly buy back from the market and burn.
Than means we are going to buy 110B $JOK token from the market over the time."

There do not appear to have been any funds recovered in this case.

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmisthackedarchive-14374">[https://web.archive.org/web/20240617180525/https://hacked.slowmist.io/ SlowMist Hacked - SlowMist Zone] (Accessed Jun 20, 2024)</ref>

<ref name="jokintheboxethtwitter-14390">[https://twitter.com/JokInTheBoxETH/status/1800539599082500106 @JokInTheBoxETH Twitter] (Accessed Jun 21, 2024)</ref>

<ref name="jokinthebox-14391">[https://jokinthebox.com/ JokInTheBox | MEV Sandwich, Copy Trading & AI Social Bot] (Accessed Jun 21, 2024)</ref>

<ref name="jokintheboxdocs-14392">[https://docs.jokinthebox.com/jokinthedocs Welcome To JokInTheDocs | JokInTheDocs] (Accessed Jun 21, 2024)</ref>

<ref name="x-14393">[https://x.com/ChainAegis/status/1800400617539883186 x.com] (Accessed Jun 21, 2024)</ref>

<ref name="chainaegisapp-14394">[https://app.chainaegis.com/result?type=eth&search=0xfcd4acbc55df53fbc4c9d275e3495b490635f113 ChainAegis] (Accessed Jun 21, 2024)</ref>

<ref name="etherscan-14395">[https://etherscan.io/tx/0xd14f5d5181c181d1c0734ebf7976199652caaad91fad9391b8a725407a284852 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Jun 21, 2024)</ref>

<ref name="neptunemutual-14015">[https://neptunemutual.com/hack-database/ DeFi and Cryptocurrency Hacks / Neptune Mutual] (Accessed May 28, 2024)</ref></references>

JokInTheBoxETH Unstaking Vulnerability - Revision history