Goose Finance
Published in

Goose Finance

The Honeytrap (A Story about a Migrator behind Timelock)

An analysis on the HoneySwap.fi rugpull

On Feb 28 at around 3AM UTC, HoneySwap.fi, another one of the latest Goose clones executed a rug pull. Transferred all of the staked funds to their own pockets.

This one caught a lot of people off guard because on first glance, it seemed everything was under timelock protection, including the migrator function that was added back in. Many in the community was left confused as to how they managed to bypass timelock protection to execute this rugpull.

So as always, let’s take a dive into what really happened.

Background Story

HoneySwap.fi forked from the Goose MasterChefV2 contract, an upgraded version of the original Goose MasterChef with added re-entrancy protection that was recommended by the CertiK audit, which seems extra safe.

But then on top of that, they re-introduced the migrator code that existed in the original PancakeSwap/SushiSwap MasterChef, an abomination that has wrecked havoc way too many times in the recent weeks.

Interestingly, they did not actually use the migrate function to execute the final rugpull, atleast, not directly.

EPIC COMMENT

They told everyone that the migrator was not here for rugpull, and assured everyone that the fact that it is protected by timelock is proof of that.

Any prudent user would check and indeed be able to see that the setMigrator function is behind timelock, and the current migrator is indeed empty. However, this was just a smoke screen and they have already covered their tracks in this scam.

The Method

When we analyse the decompiled attack contracts used to pull off the final rugpull, we can see that the“transfer” function was called on the attack contract for every pool, which then simply called the basic 3rd party token transfer and moved funds from the MasterChef to the dev.

basically translates to: token.transferFrom(chef, dev, token.balanceOf(chef))

If you know some basic solidity, you will know that this 3rd party token transfer requires an “Approval”, a signed allowance that gives a speific 3rd party the permission to transfer the tokens.

So we know that MasterChef must have given approval to this attack contract some how. Here is where the migrator comes into play. All this happened before everything was released to the public, and the devs covered their tracks afterwards.

The Rundown

  1. Deploy MasterChef
  2. Set Migrator to Attack Contract
  3. Call migrate function on each pool, even without any tokens already staked, this call still grants an infinite amount of allowance to the current migrator, which is the Attack Contract.
  4. Set Migrator back to 0x0000000 (this covers up their tracks that something fishy already happened)
  5. Transfer MasterChef ownership to Timelock

At this point, to an outsider’s eyes, everything looks normal and protected by Timelock. Little do they know, the backdoor is already wide open and the fruit is just waiting to be picked.

All that is left for the dev to do is to wait until the TVL is juicy enough for the picking. The Attacker Contract has infinite allowance to the funds staked into MasterChef and can access all the funds anytime. The rest is history.

WHAT ABOUT Goose Finance?

Goose Finance is trying to create a cleaner environment for people to yield farm. We have removed the Migrator backdoor. We cannot migrate the assets therefore your assets will be safe with us.

We stress this over and over again, if you see the migrator function, it is a HUGE red flag. Even if it is behind a timelock.

Join Goose Finance on Telegram:

https://t.me/goosedefi

Website:

https://www.goosedefi.com

Finally also a shoutout to the guys at the group DEFI Audit & Research that asked us to help look into this rugpull case: https://t.me/defidyor

Goose Finance is aiming to become an all-in-one financial entity where you have multiple tools to profit in the same platform. Our goal is to create innovate and unique tools for our user to gain profit.

Recommended from Medium

Wireshark in the Command Line

New Fund to Invest in Women in Cybersecurity Careers

Black woman leaning against a glass wall to a room with racks of servers. Text: WiCyS Cyber Talent Emergency Fund with logos for Last Mile Education Fund and Women in Cyber Security, URL bit.ly/wicys_fund

How do you Seed and Download Files in Upfire?

18.5 million websites are ready to hack their visitors

The future of digital identity

Updates — Order of business

Hack it — drop it! How stock prices are related to data breaches

Watch Out For Scams Like This

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Goose Finance

Goose Finance

2nd Generation Yield Farming on Binance Smart Chain

More from Medium

https://opensea.io/collection/life-kaleidoscope Click the link above 👆👆👆

Sound of the Shoe: Plant Bids X Sore Studio

Edvin Zuckovs — Auto Biography

💫HOW HEROSERI TAKES GAMEFI TO A NEW LEVEL💫