Goose Finance
Published in

Goose Finance

IceCream Meltdown!

How one underscore and cheeky devs lost people’s fortunes (Goose is safu, no cheekiness here allowed)

As you may have heard by now, IceCreamSwap just got dumped. The IceCream devs claims that this is an external theif exploiting a bug in their contract code. One might wonder if this really is a hacker or a well staged planned exit.

Eitherway, we are interested in what really happened right?

Like most current yield farms, our contract code mostly inherits from the SushiSwap MasterChef, maybe each with a little flavor of their own.

Now IceCream decided to be cheeky, they added an additional admin address that could make changes to the farms/pools without going through time lock. (Why would you do that right?)

NO RISK OF RUG PULL? https://bscscan.com/address/0x78bd56ca4d781d1be3808a7af0a8b5446048c1ac#code

This meant that the account address named “governance” here, can make any changes to the pool settings. Here is how the “hacker” dumped the tokens.

  1. Update all public pools to have 0 multiplier (except the one the hacker is staking in, which is most likely a private or hidden pool)
  2. Update Cream Per Block to largest possible number
  3. Harvest

Now one might ask, how did a “hacker” become the admin? Well, that is due to a “bug” in their code. A single underscore, that left a door wide open to anyone to become the admin.

msg.sender == _governance will always be TRUE when setting admin address to the caller!

That one underscore in _governance, made sure that any caller is free to set their address as the admin. WTF.

There are just so many suspicions with the IceCream contracts. Just the fact that they added an extra back door to update settings whilst bypassing time lock is already super red flag.

What makes it extra suspicious is why the other msg.sender == governance code is correct in the other 3 functions, and wrong in the only 1 that mattered.

It really makes one wonder, if this “bug” was just a disguise for a planned dump exit.

So, now the biggest question: Is Goose safu?

Goose puts security and legitimacy in the highest regards. We do not try anything cheeky. Our contract has one and only one owner that can edit any settings, and that is the time lock.

No cheeky governance backdoor, no migrator backdoor. Removed all unneccassary code. Keeping it simple and transparent.

Happy farming.

Goose Finance is aiming to become an all-in-one financial entity where you have multiple tools to profit in the same platform. Our goal is to create innovate and unique tools for our user to gain profit.

Recommended from Medium

{UPDATE} Weed Merge Hack Free Resources Generator

Transcript of the Ampleforth office hours on 20.10.2021

How to be IT and Power Backup resilient when there is no one in Office.

What’s Up With The Craze Surrounding Capture-The-Flag (CTF) Competitions?

How To Secure Your SMB Network — Part 1 of 9 — Network Security Principles

Security in the cloud

Principles for Good ID in Emerging Markets

How to Solve the Privacy Error Message in Chrome?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Goose Finance

Goose Finance

2nd Generation Yield Farming on Binance Smart Chain

More from Medium

My 2nd Entry for HOAP lore/creative writing

Another World is Possible, A World of Many Worlds

A Look Back Through the IHD Flower

How to create and connect to MetaMask Wallet