How one underscore and cheeky devs lost people’s fortunes (Goose is safu, no cheekiness here allowed)

Image for post
Image for post

As you may have heard by now, IceCreamSwap just got dumped. The IceCream devs claims that this is an external theif exploiting a bug in their contract code. One might wonder if this really is a hacker or a well staged planned exit.

Eitherway, we are interested in what really happened right?

Like most current yield farms, our contract code mostly inherits from the SushiSwap MasterChef, maybe each with a little flavor of their own.

Now IceCream decided to be cheeky, they added an additional admin address that could make changes to the farms/pools without going through time lock. (Why would you do that right?)

Image for post
Image for post
NO RISK OF RUG PULL? https://bscscan.com/address/0x78bd56ca4d781d1be3808a7af0a8b5446048c1ac#code

This meant that the account address named “governance” here, can make any changes to the pool settings. Here is how the “hacker” dumped the tokens.

Now one might ask, how did a “hacker” become the admin? Well, that is due to a “bug” in their code. A single underscore, that left a door wide open to anyone to become the admin.

Image for post
Image for post
msg.sender == _governance will always be TRUE when setting admin address to the caller!

That one underscore in _governance, made sure that any caller is free to set their address as the admin. WTF.

There are just so many suspicions with the IceCream contracts. Just the fact that they added an extra back door to update settings whilst bypassing time lock is already super red flag.

What makes it extra suspicious is why the other msg.sender == governance code is correct in the other 3 functions, and wrong in the only 1 that mattered.

It really makes one wonder, if this “bug” was just a disguise for a planned dump exit.

Image for post
Image for post

So, now the biggest question: Is Goose safu?

Goose puts security and legitimacy in the highest regards. We do not try anything cheeky. Our contract has one and only one owner that can edit any settings, and that is the time lock.

No cheeky governance backdoor, no migrator backdoor. Removed all unneccassary code. Keeping it simple and transparent.

Happy farming.

2nd Generation Yield Farming on Binance Smart Chain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store