Whitehack by Primitive Finance: MOST FUNDS ARE SAFE. User action required.
A critical vulnerability was discovered in Primitive Finance smart contracts. As the contract is not upgradeable or pausable, we chose to whitehack our own smart contracts to safeguard user funds.
WHITEHACKED FUNDS ARE SAFE. ALL WHITEHACKED FUNDS WILL BE RETURNED TO THEIR OWNERS.
TOKENS IN WALLET which have approved the vulnerable contract REMAIN AT RISK, NOT THE PRIMITIVE CONTRACTS WHICH HOLD FUNDS.
Impacted Connector Contracts:
0xb026991da22f7D8F51550D5f99C39DdBc1c02089 (potentially safe)
Here’s how to safeguard your funds, please do this immediately:
- Go to https://app.primitive.finance/reset
- Click on an available approval reset button and sign the tx to set your approval to 0 Wei. Do this for each available token displayed on the interface to safeguard all funds.
Backup link for removing approvals: https://etherscan.io/tokenapprovalchecker
Your funds are now safe, and your work is done. When all users do this, all user funds will be safe.
The vulnerability is related to infinite approvals that have been made on the vulnerable Primitive smart contract. If you’ve approved your tokens to be spent by this contract, they are at risk.
If you have not approved the vulnerable contract, or you have reset your approval to 0, then any active positions in Primitive options or liquidity pools are NOT AT RISK.
A post-mortem of the vulnerability, the timeline of actions taken to protect user funds, and our immediate next steps to return user funds will follow soon.
Our extended thanks to Yannis Smaragdakis and Neville Grech at Dedaub, Mitchell Amador and Duncan Townsend at Immunefi, and Emiliano Bonassi at ReviewDAO for their crucial efforts to protect Primitive Finance and our users. We’re happy to say those efforts were successful.
The Primitive Finance Team