JokInTheBoxETH Unstaking Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
JokInTheBox is a utility to assist with sandwich attacks and copy sniping, with profits going to the JOK token stakers. A vulnerability in the smart contract allowed a user to unstake their assets multiple times, draining the pool of staked assets from other users. This was exploited on June 10th, and the attacker made off with $34k worth of funds. The protocol appears to have moved forward with replacing all lost tokens and it performing a series of buy-backs and token burns to raise the token price.[1][2][3][4][5][6][7][8]
About JokInTheBox
"MEV Bot for Everyone Copy Sniping & AI Social Bot. Enjoy private access to sandwich attacks, copy sniping and Unlock Passive Income through Stacking and Taxes! Empower Revenue Generation and Maximize Daily Engagement with Our Advanced AI-Driven Social Algorithm."
"JokInTheBox stands at the forefront of blockchain innovation. Built on the robust Ethereum blockchain, our project is dedicated to revolutionizing the crypto space with cutting-edge technology and a community-centric approach." "Our MEV Bot is built to be the best in the market. Our developers and mathematicians keep improving it for top performance. It works on many DEXs and pairs, and supports various networks. Best of all, 100% of the profits go to $JOK stakers."
"Enhance social engagements with our AI tools! Use our Telegram Bot for better group chats or have fun on Twitter with our Automated Crypto Trading Bot. Each time you use them, 777 JOK Tokens are burned, making our platform more visible and viral! Our platform uses Advanced Crypto Trading Bot Strategies and High Frequency Crypto Trading to give you the best performance."
"Stake your $JOK Tokens and earn daily income from our MEV Bot and Sandwich Bot. Profits are distributed daily at 00:00 UTC. Enjoy maximized returns with our Algorithmic Crypto Trading and Crypto Transaction Optimization."
The Reality
"Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets."
What Happened
"MEV Bot JokInTheBoxETH was attacked, lost ~$34K."
| Date | Event | Description |
|---|---|---|
| June 9th, 2024 7:39:59 AM MDT | Malicious Contract Creation | Initial malicious contract creation. |
| June 10th, 2024 6:28:23 PM MDT | Attack Transaction | The final transaction which profits 9.834 ETH (~$34k). |
| June 10th, 2024 11:32:00 PM MDT | ChainAegis Analysis | ChainAegis posts their analysis of the blockchain exploit. They do not, however, link to a specific transaction. |
| June 11th, 2024 8:44:00 AM MDT | JokInTheBoxETH Tweet | The JokInTheBoxETH team posts to announce compensation for user losses. They plan to airdrop tokens matching what each user staked and lost within 24 hours. Instead of burning 15% of our supply, they'll use those tokens for airdrops and reduce circulating supply through market buybacks. They aim to purchase and burn 110 billion $JOK tokens. They're grateful for their community's support and committed to preventing similar events in the future. |
Technical Details
"MEV Bot JokInTheBoxETH was attacked, lost ~$34K. The root cause of the exploit was poorly implemented unstake function fo the staking contract. Since the unstake function does not check the state of the variable "unstake", the exploiter could unstake multiple times and drian the assets."
Total Amount Lost
- 34k
The total amount lost has been estimated at $34,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
"How are we going to compensate for the loss of our users? We will airdrop the exact amount of tokens each user staked and lost on the platform within 24h."
"We were planning to burn 15% of the supply. Instead, we will use that supply to airdrop tokens to our users. We still want to reduce the circulating supply. We will regularly buy back from the market and burn. Than means we are going to buy 110B $JOK token from the market over the time."
"We believe it's a better solution than relaunch.
Our community showed strong support. We can't thank you enough. Some might think that it's unfair that some "new whales" took the opportunity to buy that dip. But they took a huge risk doing it.
We will move forward from here and never let such an event happen again."
Total Amount Recovered
"How are we going to compensate for the loss of our users? We will airdrop the exact amount of tokens each user staked and lost on the platform within 24h."
"We were planning to burn 15% of the supply. Instead, we will use that supply to airdrop tokens to our users. We still want to reduce the circulating supply. We will regularly buy back from the market and burn. Than means we are going to buy 110B $JOK token from the market over the time."
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jun 20, 2024)
- ↑ @JokInTheBoxETH Twitter (Accessed Jun 21, 2024)
- ↑ JokInTheBox | MEV Sandwich, Copy Trading & AI Social Bot (Accessed Jun 21, 2024)
- ↑ Welcome To JokInTheDocs | JokInTheDocs (Accessed Jun 21, 2024)
- ↑ x.com (Accessed Jun 21, 2024)
- ↑ ChainAegis (Accessed Jun 21, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jun 21, 2024)
- ↑ DeFi and Cryptocurrency Hacks / Neptune Mutual (Accessed May 28, 2024)