Early Sunset for RMM-01
How Primitive Approached the Math Approximation Error
The Primitive team identified the vulnerability and immediately reached out to the user who took advantage of the bug. We requested that they stop exploiting the bug, to which they agreed. Approximately $34,000 USDC was extracted at a mis-priced rate from the time of the initial exploit to the pool’s expiration (10 hours later). Most of the liquidity extracted was Primitive-controlled.
We immediately published a post-mortem of the incident and alerted our community to withdraw liquidity from the protocol. Primitive contacted the user who discovered the bug and asked them not to exploit it further. The user cooperated and returned a portion of the funds as requested.
We appreciate the diligence from the white hat community in reporting issues when they are discovered. Primitive awarded a $1,000 bug bounty to the white hat who initially reported the vulnerability through Immunefi.
Our protocols undergo extensive audits, and RMM-01 was one of the most audited protocols in existence. We offer bug bounties to users who find exploits because, above all else, we are committed to building the most secure products and infrastructure. We want our users to report issues, no matter how those issues are encountered.
What is Next for Primitive?
As we work on the release of our new protocol, we are revamping our security process and inviting users to participate in bug bounty programs and our upcoming audit competition through Code Arena. You can access Primitive’s bug bounties on Immunefi, where we offer bounties based on the threat level of the identified vulnerability.
Due to this event, we expedited the sunset of RMM-01. The RMM-01 protocol was on mainnet for over five months and accrued significant value without being vulnerable to any exploit that could completely drain the protocol. It was intended to be absorbed into a new protocol that has been under development by Primitive since April 2022.
Primitive is dedicated to building decentralized infrastructure, which means no one can take down the RMM-01 protocol. We have removed support for the current RMM-01 protocol in Primitive’s App. The Primitive App can only be used to remove liquidity from positions; it can no longer deposit funds into the protocol.
We want to thank those who participated in RMM-01 in any way, shape or form. We would love for you to stay in tune with what we are building. You can sign up for early access here.