Clarifying Deposit Approvals

On May 23rd, 2023, Prime Protocol received notice via a Twitter post addressing a feature concern found in our contracts. For the sake of transparency to our community, we want to describe what was found, and the steps we took to address it.

We want to reiterate that under no circumstances were user funds ever at risk in the protocol. There was never a way for a bad actor to take possession of protocol funds. If you are a current or past user, your funds are completely safe.

Description

A group of Web3 security enthusiasts who go by the name “Dilation Effect” sent an alert via a Twitter post that a feature in our contracts would potentially allow others to deposit tokens on behalf of users who already approved ERC20 tokens on Prime. This feature allowed for a third party to deposit on a user’s behalf — only up to the amount already approved and not spent by a user. However, because users may approve more than they intend to deposit, we have decided to restrict deposits to occur only from the depositor directly regardless of approval amount. We thank and value our community for the immediate feedback, and while this did not put our users’ funds at risk, we believe that the safety of our protocol and our community outweighs the benefits of additional composability.

Team Action

The feature in question has now been removed, and it is now impossible for a third party to perform a deposit on a user’s behalf. Below, we outline the steps taken to ensure this:

• We reproduced the scenarios in testnet and mainnet on our end.
• We investigated any and all code paths that could’ve been impacted by this.
• We explored multiple code changes and actions that ensured completeness of fix and safety to users.
• We created pull requests that our auditors have reviewed. There will be an audit report including these changes which will be published when available.
• We validated these changes in testnet and mainnet.
• Due to the nature of the change, we have deployed new markets without this feature. Old markets are deprecated, meaning users cannot deposit but may safely repay any outstanding borrows and withdraw at any time.

User Action

Users who deposited on the now-deprecated markets are asked to withdraw their tokens from the old markets, and deposit the funds on the new markets. Each market that is now deprecated will be shown as such on the dashboard, and will disappear from view once the user’s funds are withdrawn. Users can take this action at their own convenience, as no funds are at risk and the existing markets still serve as collateral for any outstanding borrows.

Points

All accrued points for users will remain intact. In order to encourage users to migrate their funds from the deprecated markets to the new ones, we are:

• Setting the same underlying accrual rate logic — as explained in the Prime Early Adopter Program — for all new markets.
• Applying a fixed points bonus of 3 weeks for existing depositors, to account for the changed accrual multiplier when pulling out of deprecated markets and entering new ones.
• Setting the accrual rate for deprecated markets to 0, further encouraging the transfer of funds

There will be more information and insights regarding the Prime Early Adopter Program in the coming weeks.

Ultimately, we’re thankful that this concern was brought to our attention and that the funds of our users were never at risk. We appreciate each and every person who has trusted what we’ve built thus far, and we sincerely hope that you’ll believe in us as we continue to innovate and grow Prime going forward.