In 2020, the first alpha Primitive contracts were deployed for the V1 protocol. One of the peripheral contracts was discovered to have an approval vulnerability, which was detailed in the postmortem available here.
As the Primitive team prepares to launch the new, fully audited RMM Protocol smart contracts, we want to remind all of Primitive's early users to revoke any outstanding approvals for those vulnerable contracts made between December 2020 and February 2021. Those contracts are non-upgradeable, which means the only action possible must come from the user.
This is a fairly common vulnerability which makes it even more important for every user to be aware of proper approval management. Approvals should be exact instead of infinite, or revoked after users are finished with using a protocol.
Here are some valuable resources to learn more about the approval related vulnerabilities:
What addresses are vulnerable?
We made a public Dune query that is available here, which displays the vulnerable addresses.
We've identified 11 active infinite approvals for either WETH or DAI. We have confirmed three of these vulnerable addresses have received our messages and will take action to revoke approvals. Three of the remaining addresses are inactive, with no transactions after interacting with the Primitive V1 Protocol and no tokens or ether. This leaves five addresses, two of which hold more than $1K worth of value. All of these 11 addresses have been contacted by the security.primitive.eth account through Etherscan's blockscan chat feature.
While no tokens are at risk now, if WETH or DAI are transferred to these addresses with the approvals, they immediately become at risk.
These vulnerable addresses made the approvals over a year ago, and while we have brought the list down from 100 to just 8 through continuous monitoring and contact attempts, these 8 open approvals can still put a significant amount of funds at risk if WETH or DAI are transferred to them.
These contracts deployed in 2020 and early 2021 were experimental and in an alpha stage. The Primitive team has learned from this incident, which is why all smart contracts are audited at least twice by professional 3rd party security firms.
Infinite token approvals are permanent until they are revoked. DeFi moves very quickly, with new projects launching daily. Token approvals can quickly be forgotten about and linger—in this case for over a year. After using a new protocol, we highly recommend revoking approvals to keep your tokens safe.
These are the dedicated security channels for contacting Primitive: