Impermax Finance V3 Flash Loan Fee Valuation Flaw Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:58, 27 May 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/impermaxfinancev3flashloanfeevaluationflawexploited.php}} {{Unattributed Sources}} thumb|Impermax Finance Logo/HomepageImpermax is a DeFi platform that enables users, particularly market makers, to borrow against their liquidity provider (LP) positions, offering risk-balanced yield opportunities and protocol rewards through its native IBEX token. Despite str...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Impermax Finance Logo/Homepage

Impermax is a DeFi platform that enables users, particularly market makers, to borrow against their liquidity provider (LP) positions, offering risk-balanced yield opportunities and protocol rewards through its native IBEX token. Despite strong security measures—including audits and a bug bounty program—the Impermax V3 protocol suffered a complex flash loan exploit that manipulated the valuation of uncollected fees used as collateral. The attacker used a sequence of actions to inflate collateral value, borrow assets, and drain liquidity pools, resulting in estimated losses around $400,000. Impermax immediately advised users not to interact with V3 pools and implemented emergency controls such as bad debt rebalancing, debt ceilings, and support for safer oracles. The team plans to reimburse affected users based on a snapshot taken before the hack but has yet to specify timelines or exact amounts.[1][2][3][4][5][6][7][8]

About Impermax Finance

Impermax is a decentralized finance (DeFi) platform designed specifically for market makers, offering innovative solutions through a lending protocol that allows users to borrow against their liquidity provider (LP) positions. The platform aims to provide users with a balanced risk/reward experience and the ability to optimize their investment profiles. Key functionalities include earning protocol-based rewards through holding its native token, IBEX, and enabling users to lend tokens for low-risk yield opportunities.

Security is a top priority for Impermax, with its code audited by BailSec and Guardian Audit. It also features a $100,000 bug bounty program hosted by Hacken Proof to incentivize ongoing security improvements. The platform has already seen significant adoption, reaching a total value locked (TVL) of $250 million across various entities utilizing its codebase. Its code is protected under a Business Source License, particularly for its third version, Impermax V3.

Impermax positions itself as a driver of innovation in the DeFi space by introducing the first permissionless protocol that allows users to leverage LPs. The platform encourages community involvement through its Discord channel and provides extensive educational resources via documentation, FAQs, and a blog. Users can stake IBEX, explore its features, and engage with the ecosystem through the official app and social media channels.

The Reality

Impermax Finance V3 protocol unfortunately contained a complex price manipulation exploit.

What Happened

On April 28, 2025, Impermax Finance disclosed a critical exploit in its V3 protocol that led to the theft of approximately $300,000, with an additional $300,000–$350,000 still at risk.

Key Event Timeline - Impermax Finance V3 Flash Loan Fee Valuation Flaw Exploited
Date Event Description
January 20th, 2025 3:21:56 AM MST Impermax Launches Impermax V3 Impermax announces the launch of V3, a major milestone after two years of development, positioning it as the most advanced leveraged yield farming protocol to date. Building on the strong and proven foundation of Impermax V2, the new version introduces significant innovations while preserving the simplicity and security of its predecessor. The standout advancement is its universal compatibility, allowing users to engage in leveraged yield farming across nearly any decentralized exchange (DEX) or automated liquidity manager (ALM), including Uniswap V2/V3/V4, Aerodrome, Algebra, Curve, and Balancer.
April 26th, 2025 4:43:45 AM MDT Ten Armor Alert Transaction One of the attack transactions reported by TenArmorAlert, which appears to be the first successful attack transaction.
April 26th, 2025 5:19:00 AM MDT Ten Armor Alert Tweet TenArmorAlert posts a tweet warning about the exploit. At this point, they report the loss amount as $152.2k so far.
April 26th, 2025 6:20:00 AM MDT Impermax Detects Exploit Happening Impermax reportedly detects the exploit draining the V3 liquidity pools and announces via Twitter/X. Users are advised not to interact with any V3 liquidity pools.
April 26th, 2025 9:49:17 AM MDT Example Exploit Transaction One of the exploit transactions as provided by Impermax in their postmortem.
April 28th, 2025 12:26:06 AM MDT Impermax Published Post-Mortem Impermax publishes a post-mortem, emphasizing that users should not repay or close their positions until the issue is resolved, as doing so could make more capital vulnerable. The team promised that recovered funds would be redistributed to lenders based on a snapshot taken just before the attack.

Technical Details

The exploit took advantage of how Impermax V3 calculated collateral using uncollected fees, which were valued too generously relative to compounded fees. The attacker executed the following steps:

1) Took a large flash loan via Balancer.

2) Created a position on a Uniswap V3 pool with low liquidity to maximize control.

3) Manipulated the price (tick) to skew the position's balance.

4) Performed dozens of swaps to generate excessive uncollected fees, mostly on one side of the pool.

5) Used these inflated uncollected fees as collateral to borrow funds.

6) Auto-compounded the fees back into the position at an incorrect tick, reducing its true value.

7) Reset the tick to extract the misvalued collateral.

8) Closed the position using restructureBadDebt, effectively diluting lender assets.

The attacker was able to repeat this process to siphon off all available liquidity and ensure they could extract funds before legitimate lenders, creating ongoing risk in the protocol until full remediation occurs. The root cause was a misaligned valuation logic between types of collateral, which enabled this abuse of the system’s internal safety margins.

Total Amount Lost

Impermax found as of April 28th, that $300k was lost. Impermax estimates that the total loss will be around $400k. SlowMist reports the amount of loss as $152,200, which appears to stem from a preliminary report by TenArmorAlert.

The total amount lost has been estimated at $300,000 USD.

Immediate Reactions

While acknowledging the severity of the incident, Impermax noted that the scale of losses ($400,000 total estimated) was modest compared to major DeFi hacks. Despite the setback, Impermax affirmed its commitment to rebuilding and securing the platform.

SlowMist: "Impermax was attacked on the Base network. In a tweet, Impermax stated that someone launched a flash loan attack and drained its V3 liquidity pools. The team is currently investigating and advises users not to interact with any V3 pools."

Ultimate Outcome

Following the flash loan attack on Impermax V3, the team has initiated a recovery plan. They are working to stabilize the situation and plan to reimburse affected lenders based on a snapshot taken before the exploit. The reimbursement details, including proportions and timelines, are yet to be determined. The team remains committed to addressing the issue and restoring confidence in the protocol.

Following the flash loan exploit on April 26, 2025, which drained approximately $152,000 from Impermax's V3 liquidity pools on the Base network, the team initiated a comprehensive recovery plan. They advised users to refrain from interacting with any V3 pools until further notice. The exploit was attributed to a discrepancy in the valuation of uncollected fees used as collateral, which the attacker exploited through a series of strategic actions, including creating a position with inflated uncollected fees and leveraging them to borrow assets.

In response, Impermax implemented a bad debt rebalancing system to prevent underwater positions by socializing the bad debt across borrowable pools. They also introduced debt ceilings as an additional risk-mitigation feature and began supporting custom oracles, including Chainlink and TWAP, to enhance safety. The team emphasized their commitment to stabilizing the situation and reimbursing affected users based on a snapshot taken prior to the exploit. While the final loss was estimated to be around $400,000, the team expressed determination to recover and strengthen the protocol moving forward.

The team emphasized resilience and continuity, stating they would not abandon the project and expressing confidence in their ability to return stronger after addressing the incident. This phased approach—immediate containment, followed by assessment and eventual compensation—reflects Impermax's intent to preserve user trust and long-term viability despite the $300K–$400K loss.

Total Amount Recovered

Following the Impermax V3 exploit, the Impermax team committed to a recovery plan aimed at compensating affected users. The primary strategy involved taking a snapshot of user balances immediately before the attack, which would serve as the basis for distributing recovered or replacement funds. Users were explicitly advised not to close or reduce their borrowing positions to avoid triggering the release of vulnerable capital while the situation was being contained.

Although the team did not provide a precise timeline or percentage for reimbursements, they assured the community that their top priority was to stabilize the protocol and minimize further losses. Once the exploit had been addressed and potential additional threats mitigated, they planned to focus on determining fair and feasible reimbursement mechanisms based on the snapshot.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Impermax has advised borrowers not to repay or close positions until remediation is complete, as doing so may release additional at-risk capital. The team is actively working to stabilize the situation, pledging to eventually distribute recovered funds to affected lenders based on a pre-hack snapshot. While this is a significant setback, Impermax emphasized its resolve to recover and improve, characterizing the estimated $400,000 total loss as manageable within the broader context of DeFi security challenges.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Impermax Finance - "Less than one hour ago, someone executed a flash loan and drained our V3 pools. We are currently investigating. Please do not interact with any V3 pools. We are very sorry for that. We will provide a post-mortem when the full verification is done" - Twitter/X (Accessed May 26, 2025)
  2. Impermax Finance Homepage (Accessed May 26, 2025)
  3. Impermax V3 Exploit: Post Mortem - Impermax Finance Medium (Accessed May 26, 2025)
  4. Impermax V3 Core: everything you need to know - Impermax Finance (Accessed May 26, 2025)
  5. Impermax Finance Documentation (Accessed May 27, 2025)
  6. Exploit Transaction From Postmortem - BaseScan (Accessed May 27, 2025)
  7. TenArmorAlert - "Our system has detected multiple suspicious attacks involving #Impermax @ImpermaxFinance on #BASE, resulting in an approximately loss of $152.2K so far." - Twitter/X (Accessed May 27, 2025)
  8. Exploit Transaction From TenArmorAlert - BaseScan (Accessed May 27, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Impermax_Finance_V3_Flash_Loan_Fee_Valuation_Flaw_Exploited&oldid=6742"