As you may have heard by now, IceCreamSwap just got dumped. The IceCream devs claims that this is an external theif exploiting a bug in their contract code. One might wonder if this really is a hacker or a well staged planned exit.
Eitherway, we are interested in what really happened right?
Like most current yield farms, our contract code mostly inherits from the SushiSwap MasterChef, maybe each with a little flavor of their own.
Now IceCream decided to be cheeky, they added an additional admin address that could make changes to the farms/pools without going through time lock. (Why would you do that right?)
This meant that the account address named “governance” here, can make any changes to the pool settings. Here is how the “hacker” dumped the tokens.
- Update all public pools to have 0 multiplier (except the one the hacker is staking in, which is most likely a private or hidden pool)
- Update Cream Per Block to largest possible number
Now one might ask, how did a “hacker” become the admin? Well, that is due to a “bug” in their code. A single underscore, that left a door wide open to anyone to become the admin.
That one underscore in _governance, made sure that any caller is free to set their address as the admin. WTF.
There are just so many suspicions with the IceCream contracts. Just the fact that they added an extra back door to update settings whilst bypassing time lock is already super red flag.
What makes it extra suspicious is why the other msg.sender == governance code is correct in the other 3 functions, and wrong in the only 1 that mattered.
It really makes one wonder, if this “bug” was just a disguise for a planned dump exit.
So, now the biggest question: Is Goose safu?
Goose puts security and legitimacy in the highest regards. We do not try anything cheeky. Our contract has one and only one owner that can edit any settings, and that is the time lock.
No cheeky governance backdoor, no migrator backdoor. Removed all unneccassary code. Keeping it simple and transparent.