The Decentralized finance space has been plagued by hackers and malicious actors since its inception. Several security incidents over the last few years have brought into question whether DeFi is safe to use at all. Hence, popular smart contracts have had to take drastic measures to address exploits. One such project, Primitive Finance, had to hack its own smart contract after an exploit was discovered.
According to reports, a critical vulnerability was discovered in decentralized option derivatives protocol Primitive Finance’s smart contracts on February 22. Since the team behind the project couldn’t be upgraded or suspended, they went on to “whitehack” their own smart contracts in a bid to safeguard user funds. The team stated they were able to secure a majority of the funds but some users might have to take action.
“Although we have recused 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK, https://app.primitive.finance/reset will safeguard funds by setting each of your token approvals to 0.”
In a blog post, Primitive Finance team stated that the vulnerability is related to ‘infinite approvals’ on one of the protocol’s smart contracts. The team adds that manually resetting approvals back to zero will safeguard any assets, but those who might have used this contract to approve token spending remain at risk. At the time of writing, the vulnerability hasn’t been exploited by an attacker as a result of the team’s quick response.
Primitive Finance is a permissionless options protocol developed on the Ethereum blockchain. With this, Liquidity providers are able to earn a yield on DAI, ETH, or DeFi tokens by providing collateral to the options markets. The yield is earned via trading fees generated on automated market maker SushiSwap.
“The protocol is used to create smart contracts with an immutable set of parameters that define the rules of the option. Any two ERC-20 tokens can be chosen to be the underlying (the asset being purchased) or the quote (the token used to pay the strike price).”
The DeFi problem
The report comes days after attackers leveraged Cream’s Iron Bank protocol-to-protocol lending platform to fake a smart contract and steal $37 million worth of funds from Alpha Homora. The “fake spell/contract” exploit was quite similar to last year’s “evil jar” attack on Pickle Finance, where attackers exploited one of its smart contracts and stole $20 million in funds.
