Primitive Finance White Hack: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/primitivefinancewhitehack.php}} thumb|Primitive FinancePrimitive Finance was a smart contract options platform, which contained a vulnerability allowing an attacker to mint false tokens. This was discovered and preemptively exploited by the team themselves. All funds were then returned to users. This is a global/international case not involving a specific country. =...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/primitivefinancewhitehack.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/primitivefinancewhitehack.php}} | ||
{{Unattributed Citations}} | |||
[[File:Primitivefinance.jpg|thumb|Primitive Finance]]Primitive Finance was a smart contract options platform, which contained a vulnerability allowing an attacker to mint false tokens. This was discovered and preemptively exploited by the team themselves. All funds were then returned to users. | [[File:Primitivefinance.jpg|thumb|Primitive Finance]]Primitive Finance was a smart contract options platform, which contained a vulnerability allowing an attacker to mint false tokens. This was discovered and preemptively exploited by the team themselves. All funds were then returned to users. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="slowmisthacked-678" /><ref name="primitivefinance-1717" /><ref name="primitivefitwitter-1718" /><ref name="primitivefitwitter-1719" /><ref name="primitivefitwitter-1720" /><ref name="primitivefitwitter-1721" /><ref name="primitivefitwitter-1722" /><ref name="primitivefitwitter-1723" /><ref name="immunefimedium-1724" /><ref name="primitivefinancemedium-1725" /><ref name="primitivefinancemedium-1726" /><ref name="tokenpost-1727" /><ref name="allyourfeeds-1728" /><ref name="coinjournal-1729" /><ref name="thedefiant-1730" /><ref name="cryptopotato-1731" /><ref name="dyorcrypto-1732" /><ref name="primitivedocs-1733" /><ref name="blocksecteammedium-3714" /><ref name="ambergroupmedium-3716" /> | |||
== About Primitive Finance == | == About Primitive Finance == | ||
| Line 45: | Line 47: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 67: | Line 68: | ||
|- | |- | ||
|February 21st, 2021 12:00:00 AM | |February 21st, 2021 12:00:00 AM | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 80: | Line 77: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $1,300,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 91: | Line 88: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 99: | Line 96: | ||
== Prevention Policies == | == Prevention Policies == | ||
Which policies could have prevented this event from happening? | |||
== References == | == References == | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17) | <references><ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17, 2021)</ref> | ||
[https://primitive.finance/ Primitive | Explore AMMs and Dive into Market Making] (Jul 16) | <ref name="primitivefinance-1717">[https://primitive.finance/ Primitive | Explore AMMs and Dive into Market Making] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1382762019875524608 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1718">[https://twitter.com/PrimitiveFi/status/1382762019875524608 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1367135346832465922 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1719">[https://twitter.com/PrimitiveFi/status/1367135346832465922 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1365751587197521921 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1720">[https://twitter.com/PrimitiveFi/status/1365751587197521921 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1365632774523224067 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1721">[https://twitter.com/PrimitiveFi/status/1365632774523224067 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1364372392152162305 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1722">[https://twitter.com/PrimitiveFi/status/1364372392152162305 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://twitter.com/PrimitiveFi/status/1363670839908913158 @PrimitiveFi Twitter] (Jul 16) | <ref name="primitivefitwitter-1723">[https://twitter.com/PrimitiveFi/status/1363670839908913158 @PrimitiveFi Twitter] (Jul 16, 2021)</ref> | ||
[https://medium.com/immunefi/inside-the-war-room-that-saved-primitive-finance-6509e2188c86 Inside The War Room That Saved Primitive Finance] (Jul 16) | <ref name="immunefimedium-1724">[https://medium.com/immunefi/inside-the-war-room-that-saved-primitive-finance-6509e2188c86 Inside The War Room That Saved Primitive Finance] (Jul 16, 2021)</ref> | ||
[https://primitivefinance.medium.com/whitehack-by-primitive-finance-most-funds-are-safe-user-action-required-4dd31c387b8 Whitehack by Primitive Finance: MOST FUNDS ARE SAFE. User action required. | by Primitive | Medium] (Jul 16) | <ref name="primitivefinancemedium-1725">[https://primitivefinance.medium.com/whitehack-by-primitive-finance-most-funds-are-safe-user-action-required-4dd31c387b8 Whitehack by Primitive Finance: MOST FUNDS ARE SAFE. User action required. | by Primitive | Medium] (Jul 16, 2021)</ref> | ||
[https://primitivefinance.medium.com/postmortem-on-the-primitive-finance-whitehack-of-february-21st-2021-17446c0f3122 Postmortem On The Primitive Finance Whitehack Of February 21st 2021] (Jul 16) | <ref name="primitivefinancemedium-1726">[https://primitivefinance.medium.com/postmortem-on-the-primitive-finance-whitehack-of-february-21st-2021-17446c0f3122 Postmortem On The Primitive Finance Whitehack Of February 21st 2021] (Jul 16, 2021)</ref> | ||
[https://tokenpost.com/Primitive-Finance-A-Critical-Vulnerability-Discovered-In-Smart-Contracts-6753 Primitive Finance: A Critical Vulnerability Discovered In Smart Contracts - TokenPost] (Jul 16) | <ref name="tokenpost-1727">[https://tokenpost.com/Primitive-Finance-A-Critical-Vulnerability-Discovered-In-Smart-Contracts-6753 Primitive Finance: A Critical Vulnerability Discovered In Smart Contracts - TokenPost] (Jul 16, 2021)</ref> | ||
[https://allyourfeeds.com/blockchain/news/defi-protocol-primitive-finance-self-hacks-to-prevent-exploit News | All Your Feeds] (Jul 16) | <ref name="allyourfeeds-1728">[https://allyourfeeds.com/blockchain/news/defi-protocol-primitive-finance-self-hacks-to-prevent-exploit News | All Your Feeds] (Jul 16, 2021)</ref> | ||
[https://coinjournal.net/news/primitive-finance-self-hacks-to-safeguard-user-funds/ Primitive Finance whitehacks its contracts for safety] (Jul 16) | <ref name="coinjournal-1729">[https://coinjournal.net/news/primitive-finance-self-hacks-to-safeguard-user-funds/ Primitive Finance whitehacks its contracts for safety] (Jul 16, 2021)</ref> | ||
[https://thedefiant.io/dedaub-claims-250k-in-bounty-for-primitive-finance-bug/ Dedaub Claims $250k in Bounty for Primitive Finance Bug - The Defiant - DeFi News] (Jul 16) | <ref name="thedefiant-1730">[https://thedefiant.io/dedaub-claims-250k-in-bounty-for-primitive-finance-bug/ Dedaub Claims $250k in Bounty for Primitive Finance Bug - The Defiant - DeFi News] (Jul 16, 2021)</ref> | ||
[https://cryptopotato.com/defi-protocol-primitive-finance-self-hacks-to-prevent-exploit/ DeFi Protocol Primitive Finance Self Hacks to Prevent Exploit] (Jul 16) | <ref name="cryptopotato-1731">[https://cryptopotato.com/defi-protocol-primitive-finance-self-hacks-to-prevent-exploit/ DeFi Protocol Primitive Finance Self Hacks to Prevent Exploit] (Jul 16, 2021)</ref> | ||
[https://dyor-crypto.fandom.com/wiki/Primitive_Finance Primitive Finance | DYOR Crypto Wiki | Fandom] (Jul 16) | <ref name="dyorcrypto-1732">[https://dyor-crypto.fandom.com/wiki/Primitive_Finance Primitive Finance | DYOR Crypto Wiki | Fandom] (Jul 16, 2021)</ref> | ||
[https://docs.primitive.finance/ Library - Primitive and RMM Protocol | Primitive] (Jul 16) | <ref name="primitivedocs-1733">[https://docs.primitive.finance/ Library - Primitive and RMM Protocol | Primitive] (Jul 16, 2021)</ref> | ||
[https://blocksecteam.medium.com/unlimited-approval-in-erc20-convenience-or-security-1c8dce421ed7 Unlimited Approval In Erc20 Convenience Or Security] (Oct 11) | <ref name="blocksecteammedium-3714">[https://blocksecteam.medium.com/unlimited-approval-in-erc20-convenience-or-security-1c8dce421ed7 Unlimited Approval In Erc20 Convenience Or Security] (Oct 11, 2021)</ref> | ||
[https://medium.com/amber-group/exploiting-primitive-finances-approval-flaws-b86db031b4 https://medium.com/amber-group/exploiting-primitive-finances-approval-flaws-b86db031b4] (Oct 11) | <ref name="ambergroupmedium-3716">[https://medium.com/amber-group/exploiting-primitive-finances-approval-flaws-b86db031b4 https://medium.com/amber-group/exploiting-primitive-finances-approval-flaws-b86db031b4] (Oct 11, 2021)</ref></references> | ||
Revision as of 11:52, 17 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Primitive Finance was a smart contract options platform, which contained a vulnerability allowing an attacker to mint false tokens. This was discovered and preemptively exploited by the team themselves. All funds were then returned to users.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]
About Primitive Finance
"Primitive is an open source and non-custodial options protocol for any Ethereum asset." "Liquidity providers can earn yield on their DAI, ETH, or DeFi tokens through providing liquidity to the respective option markets." "Traders can swap their DAI, ETH, or DeFi tokens to the respective Primitive Option tokens, giving them leveraged exposure in either direction." "Option Writers can collateralize the options and sell them to earn upfront returns on their DAI, ETH, or DeFi tokens." "The platform went live in early May 2020, the first trial being with a pool trading an ETH Short Put strategy with a short-term expiry."
"A serious loophole has been discovered in the Primitive Finance smart contract on the Ethereum chain options agreement. Since the contract cannot be upgraded or suspended, the official chose to hack the smart contract to protect user funds. The hacked funds are safe. All hacked funds will be returned to their owners. The official said that the post-mortem analysis of the vulnerability, the timetable for actions taken to protect user funds, and the next step to immediately return user funds will be introduced soon."
"The reality was that Primitive Finance did have a gaping hole, a critical bug in its smart contract. Earlier on Friday, the Dedaub team, led by Yannis Smaragdakis and Neville Grech, had been poring through the code after their automated scanner flagged some lines."
"Yannis and Neville, both academic computer scientists by training, started investigating the warnings. By Saturday, it became clear that they had something real — a vulnerability that effectively allowed a malicious user to create a fake token and swap that token for a user’s real tokens, as detailed more extensively in the Primitive Finance technical postmortem."
"There were 88 potential victims, most with infinite approvals for important tokens, such as WETH or DAI, and with overall holdings of well over $10M. $1.3M of these funds were vulnerable at the same time, the rest only when/if converted to WETH, DAI, or other approved tokens." "The contract could not be upgraded or suspended so the team decided to “whitehack” its own smart contracts to safeguard user funds."
"According to the blog post, the exploit is connected to infinite approvals made on a smart contract deemed vulnerable." "[T]he exploit allowed for a potential attacker, through a complicated maneuver, to create a fake token and swap that fake token for users’ real tokens."
"The Primitive Connector contract code contains entry point flashMintShortOptionsThenSwap. This entry point allows the minting of option tokens. The entry point is not directly publicly callable: the downstream code checks that the external caller of the contract is the contract itself. In normal use, this condition is satisfied when the function is called by a generalized dispatcher, activated after a Uniswap v2 flash-swap operation."
"To reach this code with unrestricted arguments, an untrusted caller can ask for a Uniswap flash-swap with parameters much like the ones in the legitimate code, make it execute the Primitive Connector contract with the swapped funds, but supply the attacker’s parameters. The Primitive Connector code (uniswapV2Call) does not check the initiator of the flash-swap operation, only that the callback indeed comes from Uniswap."
"Although we have recused 98% of the funds, TOKENS IN WALLET which have approved the vulnerable contract are STILL AT RISK." "If you have used Primitive in the last three months since we launched mainnet, you may have an outstanding approval on a vulnerable contract. These approvals MUST be reset by you."
"In the aftermath, Primitive Finance awarded $10,000 to Emiliano for his invaluable efforts as war room leader, and $25,000 to the Dedaub team for finding the bug with their whitehat wizardry."
"ArmorFi CTO Robert Forster has awarded the Dedaub Team $250k $ARMOR tokens following the successful disclosure of a critical vulnerability in Primitive Finance to Immunefi. The award is part of the R Bounty program, now renamed the Founders Bounty, where Foster, working together with Immunefi, pledged that amount to anyone who discovered a flaw in any Ethereum dapp."
On April 15th, "[w]e are awarding @chiachih_wu a small bounty for notifying us of a vulnerable user related to the approval incident in February! A reminder for all users of Primitive is that if you used the protocol between December and February you must reset your approvals for the bad contract."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 21st, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $1,300,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Which policies could have prevented this event from happening?
References
- ↑ SlowMist Hacked - SlowMist Zone (May 17, 2021)
- ↑ Primitive | Explore AMMs and Dive into Market Making (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ @PrimitiveFi Twitter (Jul 16, 2021)
- ↑ Inside The War Room That Saved Primitive Finance (Jul 16, 2021)
- ↑ Whitehack by Primitive Finance: MOST FUNDS ARE SAFE. User action required. | by Primitive | Medium (Jul 16, 2021)
- ↑ Postmortem On The Primitive Finance Whitehack Of February 21st 2021 (Jul 16, 2021)
- ↑ Primitive Finance: A Critical Vulnerability Discovered In Smart Contracts - TokenPost (Jul 16, 2021)
- ↑ News | All Your Feeds (Jul 16, 2021)
- ↑ Primitive Finance whitehacks its contracts for safety (Jul 16, 2021)
- ↑ Dedaub Claims $250k in Bounty for Primitive Finance Bug - The Defiant - DeFi News (Jul 16, 2021)
- ↑ DeFi Protocol Primitive Finance Self Hacks to Prevent Exploit (Jul 16, 2021)
- ↑ Primitive Finance | DYOR Crypto Wiki | Fandom (Jul 16, 2021)
- ↑ Library - Primitive and RMM Protocol | Primitive (Jul 16, 2021)
- ↑ Unlimited Approval In Erc20 Convenience Or Security (Oct 11, 2021)
- ↑ https://medium.com/amber-group/exploiting-primitive-finances-approval-flaws-b86db031b4 (Oct 11, 2021)