$1 300 000 USD





"Primitive is an open source and non-custodial options protocol for any Ethereum asset." "Liquidity providers can earn yield on their DAI, ETH, or DeFi tokens through providing liquidity to the respective option markets." "Traders can swap their DAI, ETH, or DeFi tokens to the respective Primitive Option tokens, giving them leveraged exposure in either direction." "Option Writers can collateralize the options and sell them to earn upfront returns on their DAI, ETH, or DeFi tokens." "The platform went live in early May 2020, the first trial being with a pool trading an ETH Short Put strategy with a short-term expiry."


"A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners. The official said that the post-mortem analysis of the vulnerability, the timetable for actions taken to protect user funds, and the next step to immediately return user funds will be introduced soon."


"The reality was that Primitive Finance did have a gaping hole, a critical bug in its smart contract. Earlier on Friday, the Dedaub team, led by Yannis Smaragdakis and Neville Grech, had been poring through the code after their automated scanner flagged some lines."


"Yannis and Neville, both academic computer scientists by training, started investigating the warnings. By Saturday, it became clear that they had something real — a vulnerability that effectively allowed a malicious user to create a fake token and swap that token for a user’s real tokens, as detailed more extensively in the Primitive Finance technical postmortem."


"There were 88 potential victims, most with infinite approvals for important tokens, such as WETH or DAI, and with overall holdings of well over $10M. $1.3M of these funds were vulnerable at the same time, the rest only when/if converted to WETH, DAI, or other approved tokens." "The contract could not be upgraded or suspended so the team decided to “whitehack” its own smart contracts to safeguard user funds."


"According to the blog post, the exploit is connected to infinite approvals made on a smart contract deemed vulnerable." "[T]he exploit allowed for a potential attacker, through a complicated maneuver, to create a fake token and swap that fake token for users’ real tokens."


"The Primitive Connector contract code contains entry point flashMintShortOptionsThenSwap. This entry point allows the minting of option tokens. The entry point is not directly publicly callable: the downstream code checks that the external caller of the contract is the contract itself. In normal use, this condition is satisfied when the function is called by a generalized dispatcher, activated after a Uniswap v2 flash-swap operation."


"To reach this code with unrestricted arguments, an untrusted caller can ask for a Uniswap flash-swap with parameters much like the ones in the legitimate code, make it execute the Primitive Connector contract with the swapped funds, but supply the attacker’s parameters. The Primitive Connector code (uniswapV2Call) does not check the initiator of the flash-swap operation, only that the callback indeed comes from Uniswap."


"Although we have recused 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK." "If you have used Primitive in the last three months since we launched mainnet, you may have an outstanding approval on a vulnerable contract. These approvals MUST be reset by you."


"In the aftermath, Primitive Finance awarded $10,000 to Emiliano for his invaluable efforts as war room leader, and $25,000 to the Dedaub team for finding the bug with their whitehat wizardry."


"ArmorFi CTO Robert Forster has awarded the Dedaub Team $250k $ARMOR tokens following the successful disclosure of a critical vulnerability in Primitive Finance to Immunefi. The award is part of the R Bounty program, now renamed the Founders Bounty, where Foster, working together with Immunefi, pledged that amount to anyone who discovered a flaw in any Ethereum dapp."


On April 15th, "[w]e are awarding @chiachih_wu a small bounty for notifying us of a vulnerable user related to the approval incident in February! A reminder for all users of Primitive is that if you used the protocol between December and February you must reset your approvals for the bad contract."

Primitive Finance was a smart contract options platform, which contained a vulnerability allowing an attacker to mint false tokens. This was discovered and preemptively exploited by the team themselves. All funds were then returned to users.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.