IceCream Meltdown!

Goose Finance
Feb 11 · 3 min read

How one underscore and cheeky devs lost people’s fortunes (Goose is safu, no cheekiness here allowed)

As you may have heard by now, IceCreamSwap just got dumped. The IceCream devs claims that this is an external theif exploiting a bug in their contract code. One might wonder if this really is a hacker or a well staged planned exit.

Eitherway, we are interested in what really happened right?

Like most current yield farms, our contract code mostly inherits from the SushiSwap MasterChef, maybe each with a little flavor of their own.

Now IceCream decided to be cheeky, they added an additional admin address that could make changes to the farms/pools without going through time lock. (Why would you do that right?)

NO RISK OF RUG PULL? https://bscscan.com/address/0x78bd56ca4d781d1be3808a7af0a8b5446048c1ac#code

This meant that the account address named “governance” here, can make any changes to the pool settings. Here is how the “hacker” dumped the tokens.

  1. Update all public pools to have 0 multiplier (except the one the hacker is staking in, which is most likely a private or hidden pool)
  2. Update Cream Per Block to largest possible number
  3. Harvest

Now one might ask, how did a “hacker” become the admin? Well, that is due to a “bug” in their code. A single underscore, that left a door wide open to anyone to become the admin.

msg.sender == _governance will always be TRUE when setting admin address to the caller!

That one underscore in _governance, made sure that any caller is free to set their address as the admin. WTF.

There are just so many suspicions with the IceCream contracts. Just the fact that they added an extra back door to update settings whilst bypassing time lock is already super red flag.

What makes it extra suspicious is why the other msg.sender == governance code is correct in the other 3 functions, and wrong in the only 1 that mattered.

It really makes one wonder, if this “bug” was just a disguise for a planned dump exit.

So, now the biggest question: Is Goose safu?

Goose puts security and legitimacy in the highest regards. We do not try anything cheeky. Our contract has one and only one owner that can edit any settings, and that is the time lock.

No cheeky governance backdoor, no migrator backdoor. Removed all unneccassary code. Keeping it simple and transparent.

Happy farming.

Goose Finance

Goose Finance is aiming to become an all-in-one financial entity where you have multiple tools to profit in the same platform. Our goal is to create innovate and unique tools for our user to gain profit.

Goose Finance

Written by

2nd Generation Yield Farming on Binance Smart Chain

Goose Finance

Goose Finance is aiming to become an all-in-one financial entity where you have multiple tools to profit in the same platform. Our goal is to create innovate and unique tools for our user to gain profit.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store