Impermax Finance Private Key Compromise Token Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Impermax Finance Logo/Homepage

Impermax Finance is a decentralized lending protocol designed for market makers to borrow against their liquidity provider (LP) positions, offering balanced risk/reward opportunities and protocol rewards via its native token, IBEX. Despite rigorous security measures—including audits and a bug bounty program — a hacker was still able to compromise private keys of team wallets, stealing around 9 million IMX tokens and significant protocol liquidity. Impermax responded swiftly by frontrunning the hacker’s potential sell-off to protect liquidity providers and initiated a comprehensive recovery plan involving a token swap from IMX to IBEX, distributing new tokens based on a pre-incident snapshot. Liquidity providers received both IBEX and ETH refunds, with unclaimed tokens burned to reduce supply. While most users were compensated and the protocol remained secure, some manual claims and community governance improvements remained ongoing to fully restore and strengthen the ecosystem.[1][2][3][4][5][6][7][8][9][10][11][12]

About Impermax Finance

Impermax is a decentralized finance (DeFi) platform designed specifically for market makers, offering innovative solutions through a lending protocol that allows users to borrow against their liquidity provider (LP) positions. The platform aims to provide users with a balanced risk/reward experience and the ability to optimize their investment profiles. Key functionalities include earning protocol-based rewards through holding its native token, IBEX, and enabling users to lend tokens for low-risk yield opportunities.

Security is a top priority for Impermax, with its code audited by BailSec and Guardian Audit. It also features a $100,000 bug bounty program hosted by Hacken Proof to incentivize ongoing security improvements. The platform has already seen significant adoption, reaching a total value locked (TVL) of $250 million across various entities utilizing its codebase. Its code is protected under a Business Source License, particularly for its third version, Impermax V3.

Impermax positions itself as a driver of innovation in the DeFi space by introducing the first permissionless protocol that allows users to leverage LPs. The platform encourages community involvement through its Discord channel and provides extensive educational resources via documentation, FAQs, and a blog. Users can stake IBEX, explore its features, and engage with the ecosystem through the official app and social media channels.

The Reality

It would appear that there was a critical vulnerability in key management in the Impermax Finance protocol.

What Happened

A hacker stole private keys to Impermax team wallets, resulting in the theft of around 9 million IMX tokens and most of the protocol-owned liquidity.

Key Event Timeline - Impermax Finance Private Key Compromise Token Theft
Date Event Description
July 16th, 2022 10:56:37 AM MDT Original Exploit Transaction The time of one of the theft transactions.
July 16th, 2022 3:16:00 PM MDT Theft Announcement Tweet Impermax Finance announces that the hacker has been able to steal a large amount of $IMX. Users are advised not to interact with the protocol for the time being. Users are also advised the protocol funds are safe.
July 16th, 2022 6:27:30 PM MDT Postmortem and Recovery Plan Impermax Finance publishes a post-mortem and recovery plan. They report that the protocol itself remains secure and unaffected, as the exploit stemmed from stolen keys rather than a smart contract vulnerability. To minimize damage, Impermax preemptively sold a large number of IMX tokens to protect liquidity providers (LPs) and recover some funds. They advise users not to trade IMX and ask LPs to withdraw liquidity until further notice. As part of the recovery, Impermax will initiate a token swap based on a snapshot taken before the incident, ensuring all previous IMX holders are compensated. The team views this as a chance to rebuild stronger, with improvements to tokenomics and governance underway through community collaboration.
July 17th, 2022 7:59:48 AM MDT IMX Tokens Moved Further The IMX tokens on the Polygon blockchain are moved/swapped by the attacker.
September 5th, 2022 7:08:00 AM MDT Relaunch Allocations Announced The Impermax team announces that they have put together allocations after a whole month of blockchain analysis to determine who lost what. Many users respond who believe that they held IMX tokens, but are not being considered on the list.
September 28th, 2022 2:11:00 PM MDT Launch Date Announced Set Impermax Finance announces that the launch date has been set for $IBEX.

Technical Details

A hacker stole approximately 9 million IMX tokens by compromising private keys of team-controlled wallets.

One exploit transaction on Polygon: 0xba85de347aee0c628d63926c28e535612157f8fb775f4233f56118b184c668e9

Total Amount Lost

A hacker stole approximately 9 million IMX tokens by compromising private keys of team-controlled wallets.

The total amount lost is unknown.

Immediate Reactions

In response to the security breach, Impermax Finance acted swiftly to mitigate damage and protect its users. Upon discovering that a hacker had stolen the private keys to several team-controlled wallets and made off with around 9 million IMX tokens, the team immediately attempted to transfer assets out of the affected wallets. Although the hacker succeeded in stealing a substantial amount of IMX and protocol-owned liquidity, Impermax’s quick detection and reaction prevented further losses.

One of the most critical steps Impermax took was a strategic move to frontrun the hacker. Realizing that a mass sale of the stolen tokens could crash IMX’s price and severely harm liquidity providers (LPs), the team proactively sold a large portion of their own tokens first. This maneuver not only preserved some market value but also allowed them to recover part of the funds from the hacker’s liquidity. These recovered funds are earmarked for refunding LPs in the coming weeks.

Importantly, Impermax reassured its community that the core lending protocol remains safe and fully operational, emphasizing that the attack resulted from compromised keys, not a smart contract flaw. To address the compromised IMX token, the team proposed a recovery plan involving a token swap. A snapshot taken before the attack will be used to fairly distribute a new token to previous IMX holders, including those who were staking, lending, or providing liquidity at the time. Impermax is using this opportunity not just to recover but to improve its ecosystem, with open community discussions about enhancing tokenomics and future governance mechanisms.

Ultimate Outcome

Impermax Finance successfully executed a recovery plan that included a token swap from IMX to a new token, IBEX, and refunded affected users. Users who held, lent, or staked IMX before the incident received IBEX on a 1:1 basis, while liquidity providers were additionally compensated with ETH refunds for their lost liquidity. A total of 87.25 million IBEX became the new effective supply after unclaimed tokens were burned.

Following the July IMX incident, Impermax Finance initiated a comprehensive recovery plan aimed at fully compensating affected users. The core of this plan was a token swap, replacing the compromised IMX token with a new token, IBEX, distributed based on a snapshot taken just before the attack. Users who were holding, staking, lending, or had pending rewards in IMX at that time received IBEX at a 1:1 ratio. Additionally, the team accounted for purchases made shortly after the snapshot but before the public announcement of the hack.

Liquidity providers (LPs), who were among the most impacted, received both IBEX and ETH refunds. The IBEX distribution matched the IMX amounts they had provided, while ETH refunds compensated for the ETH (or ETH-equivalent) liquidity they had exposed. The refund calculations were based on net balances and capped to each LP’s actual equity, ensuring fair and accurate compensation.

In total, Impermax allocated 100 million IBEX tokens, split across liquid, vested, manual transfer, and burnt categories. Of this, 51.75M IBEX were immediately claimable, 34.78M were converted into vested tokens, 0.72M were manually distributed, and 12.75M were burned, reducing the effective supply to 87.25M. The project also refunded 23.81 ETH to LPs and used 33.07 ETH to seed IBEX’s initial liquidity. Ultimately, Impermax’s actions reflect a structured effort to restore user trust and ensure that no one affected by the hack was left behind.

Total Amount Recovered

Although some manual claims and community discussions are still ongoing, the majority of affected users were made whole, and the protocol itself remained secure and fully functional.

Yes, affected users were largely made whole through a well-structured compensation plan implemented by Impermax Finance. Following the IMX security breach, the team introduced a new token, IBEX, to replace the compromised IMX. A snapshot was taken just before the incident, and users who held, staked, lent, or had pending rewards in IMX at that time received IBEX at a 1:1 ratio. This ensured that the majority of users retained the value of their holdings. The airdrop was executed via a MerkleDistributor contract, allowing eligible users to claim their new tokens transparently.

Liquidity providers (LPs), who experienced the most significant losses—both in IMX and in the ETH or other assets they had supplied—were also compensated. IBEX was distributed to match the IMX they had provided as liquidity, while ETH refunds were calculated based on their net exposure at the time of the snapshot. This included a detailed assessment of provided assets and any associated debt. Impermax used a portion of the recovered ETH from the hacker to fund these refunds, and also allocated additional ETH to provide initial liquidity for IBEX trading.

While no recovery plan is perfect, the measures taken by Impermax covered most impacted users comprehensively. Even unclaimed IMX tokens were accounted for—burned to reduce the total supply of IBEX and maintain its value. Although some users reported confusion or issues around the claim process, and manual intervention was needed in a few cases, the majority of users were effectively restored to their pre-incident positions. Overall, Impermax’s response successfully upheld its goal of making users whole and rebuilding trust within its community.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There is an ongoing manual distribution of IBEX tokens and ETH refunds for certain users, particularly those with more complex wallet setups or unresolved claims. Additionally, community governance discussions and updates to tokenomics—such as improvements in farming rewards, cross-chain compatibility, and broader ecosystem development—are still in progress. Ongoing user support and communication are also necessary, as some users continue to seek clarity or assistance with their allocations.

Several parts of the Impermax Finance IMX incident remain ongoing despite the completion of the primary recovery efforts. One key area is the token claim process for certain users. While the IBEX airdrop was distributed through a MerkleDistributor contract for most users, those with tokens held in smart contracts or less common wallet types may still require manual transfers. Some affected users also reported that they had not received their IBEX tokens, either due to missing the snapshot or being unaware of the claim process. These cases indicate that some users’ situations remain unresolved and may require continued support or additional claim opportunities.

Another ongoing aspect involves the full distribution of ETH refunds to liquidity providers. Although a portion of the recovered ETH was already used to repay bad debt and begin the refund process, additional ETH was allocated to compensate LPs and leveraged LPs for their exposure. The distribution of these funds depends on precise on-chain calculations, and ensuring all eligible users receive the correct amount may still be in progress or dependent on further actions from recipients.

Beyond the immediate recovery, Impermax is also continuing its governance and tokenomics overhaul. The shift to IBEX was not just a remedy for the hack, but also a chance to address previous issues in the ecosystem, such as farming reward structures, cross-chain support, and ticker-related updates. These initiatives are being discussed with the community, particularly in the project's Discord, and are part of an ongoing process to improve the platform’s foundation and resilience moving forward.

Lastly, user communication and support remain essential ongoing needs. Some users expressed confusion or frustration after the incident, particularly regarding eligibility for the IBEX airdrop or the state of their IMX holdings. Impermax must continue to provide clear information and responsive support to ensure that all affected users are either made whole or understand why they may not be eligible. This continued engagement is critical to restoring trust and ensuring long-term community stability.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Impermax Finance - "Following an incident a hacker was able to steal a large amount of $IMX. DON'T BUY OR SELL $IMX (Impermax)! PROTOCOL USERS' FUNDS ARE SAFE. Impermax protocol wasn't affected in any way by this incident and keeps working as usual. If you're a $IMX liquidity provider we strongly advise you to withdraw your $IMX liquidity from the market to avoid losses. We will follow up in a couple hours with an announcement explaining what's happening in detail and a recovery plan." - Twitter/X (Accessed May 26, 2025)
  2. Impermax Finance - "An update on what exactly happened and our plan moving forward." - Twitter/X (Accessed May 26, 2025)
  3. Impermax Finance - "The date is set $IBEX launch will be on September 30th at 12pm UTC For more info read the full announcement" - Twitter/X (Accessed May 26, 2025)
  4. Impermax Finance - "After a month of on-chain analysis we are finally ready to share the allocations for our upcoming $IBEX launch!" - Twitter/X (Accessed May 26, 2025)
  5. Impermax Finance Homepage (Accessed May 26, 2025)
  6. IMX incident: post mortem and recovery plan - Impermax Finance Medium (Accessed May 26, 2025)
  7. The Power of Indirect Liquidity Providing - Impermax Finance Medium (Accessed May 26, 2025)
  8. IMX Incident: Refund Allocations - Impermax Finance Medium (Accessed May 26, 2025)
  9. Detailed Impermax Finance Crypto app Review by DeFi Teller (Accessed May 27, 2025)
  10. Original Transaction At Exploit Time - PolygonScan (Accessed May 27, 2025)
  11. Transaction Moving The IMX Tokens - PolygonScan (Accessed May 27, 2025)
  12. Term Finance Recovers $1 Million After Oracle Error Causes $1.6 Million ETH Loss - Bitcoin Ethereum News (Accessed May 27, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Impermax_Finance_Private_Key_Compromise_Token_Theft&oldid=6741"