DeFi platform hacks itself to safeguard users’ funds
The developers of Primitive, Ethereum-based decentralized finance (DeFi) permissionless options protocol, “whitehacked” their own platform after a severe exploit was discovered today.
“EMERGENCY ALERT @PrimitiveFi has whitehacked our contracts to safeguard user funds after a critical vulnerability was discovered. Further user action is required to safeguard funds,” Primitive tweeted today.
? EMERGENCY ALERT? @PrimitiveFi has whitehacked our contracts to safeguard user funds after a critical vulnerability was discovered.
Further user action is required to safeguard funds ?
– Go to https://t.co/RC59l95Fui
– Reset all vulnerable approvals— Primitive (@PrimitiveFi) February 22, 2021
Per the blog post, a critical exploit was discovered in some of Primitive’s smart contracts that enabled “infinite approvals.” Thus, all users that gave the vulnerable contract permission to spend their tokens became at risk of losing their funds.
Since there was no way to upgrade or pause these contracts, the developers resorted to hacking their own platform.
“Although we have recused (sic) 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK, [the reset link] will safeguard funds by setting each of your token approvals to 0,” wrote the developers, adding, “A post-mortem and next steps to reclaim funds are coming soon.”
Although we have recused 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK, https://t.co/RC59l95Fui will safeguard funds by setting each of your token approvals to 0. A post-mortem and next steps to reclaim funds are coming soon.
— Primitive (@PrimitiveFi) February 22, 2021
However, those users who allowed the faulty smart contracts to spend their assets can still lose the tokens that are held in their wallets, the developers stressed. To safeguard them, the affected users need to reset approvals on their tokens via a special page.
At press time, no actual losses of funds to malicious actors using the exploit have been reported.
Primitive allows users to earn yields by providing their DAI, ETH, and other DeFi tokens as collateral for options markets. The yield itself comes from trading fees on DeFi market maker platform SushiSwap.
“The protocol is used to create smart contracts with an immutable set of parameters that define the rules of the option. Any two ERC-20 tokens can be chosen to be the underlying (the asset being purchased) or the quote (the token used to pay the strike price),” Primitive’s developers explained.
As CryptoSlate reported, the booming DeFi sector had its fair share of various exploits and hacks over the last few months. Last November, for example, an attack on a price oracle caused $100 million worth of liquidations on decentralized loans platform Compound.