A few hours ago on Monday, Feb. 22, a critical vulnerability was discovered in Primitive Finance smart contracts. The contract could not be upgraded or suspended so the team decided to “whitehack” its own smart contracts to safeguard user funds.
It stated that the majority of funds have been secured though users need to take action as some could still be at risk.
“Although we have recused 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK,”
🚨 EMERGENCY ALERT🚨 @PrimitiveFi has whitehacked our contracts to safeguard user funds after a critical vulnerability was discovered.
Further user action is required to safeguard funds 👇
– Go to https://t.co/RC59l95Fui
– Reset all vulnerable approvals
— Primitive (@PrimitiveFi) February 22, 2021
Infinite Approvals Exploit
The blog post stated that the vulnerability is related to ‘infinite approvals’ that have been made on one of the protocol’s smart contracts. It added that manually resetting approvals back to zero will safeguard any assets and those that have used this contract to approve token spending could still be at risk.
At the time of writing, the vulnerability had not been exploited by malicious actors and funds had not been stolen due to the swift reaction of the Primitive Finance team.
Primitive is a permissionless options protocol built on Ethereum. Liquidity providers can earn a yield on DAI, ETH, or DeFi tokens by providing collateral to option markets. The yield is earned through trading fees generated on the SushiSwap automated market maker.
“The protocol is used to create smart contracts with an immutable set of parameters that define the rules of the option. Any two ERC-20 tokens can be chosen to be the underlying (the asset being purchased) or the quote (the token used to pay the strike price).”
The protocol launched to mainnet in late December 2020. It was audited by Open Zeppelin in August of the same year but code vulnerabilities appear to have slipped through the net.
DeFi TVL Returns to ATH
The total value locked across the entire DeFi sector has returned to its all-time high of a little over $50 billion according to DappRadar. MakerDAO is the leading protocol with $6.7 billion followed by Aave with $5.5 billion in collateral lock up.
Different analytics providers will report different figures, and DeFiPulse’s are often lower than elsewhere because it is selective over its listings and does not include all protocols. Its TVL figure is $41.6 billion, also very close to the all-time high.