Timelock == funds are safu ?
A common misconception is that a timelock makes a farming safe.
All current farmings promote having a timelock as if that would provide greater security to the project. And they need to do it because it’s embedded in people that timelock equals security. But this is only half true.
Who handles the funds, and who really matters, is the MasterChef contract.
MasterChef > Timelock
All fund management is done by contacting the MasterChef. The only thing that timelock does is act as an intermediary in that communication and delay it, that way users can see the order sent in time and take action before it takes effect.
That is, instead of calling the Masterchef functions, the Timelock functions are called, it waits X time, and only then does it allow you to call the Masterchef with what you sent before.
Here you can learn how to check if a Masterchef is correctly assigned to Timelock: https://app.gitbook.com/@voidfarm/s/void-farm/security/how-to-check-the-timelock
This is good, but it does not assure anything.
If the Masterchef has no way to steal the funds then, even if it doesn’t have a timelock, it won’t take your money, because it can’t.
There is also another reality. The fact that the timelock is assigned does not ensure that it cannot be bypassed to call the masterchef.
Speaking a bit about programming, recently there was a rugpull that had two addresses able to call transactions in the masterchef: an “owner” and a “treasury”. The fact is the modifier onlyOwner() which is meant to control only the “owner” invokes those calls had been changed and instead of checking if the caller was the “owner” it checked for the “treasury” address.
So in bscscan you could see that the “owner” of the Masterchef was the timelock, but in reality they could execute everything by calling from the address “treasury”.
This in principle only served to skip the timelock, but also the Masterchef had a way of stealing the funds. We will explain this case in another post.
The problem here is that 1) The timelock was correctly assigned and 2) What the Masterchef did could only be detected if it was read by someone who knows Solidity, or of course with an audit (which they clearly did not have).
Conclusion
A Timelock is important and must be present, but if they claim that alone is why the funds are safe, they are probably hiding something.
Cheers!
Official Links:
Site: https://www.void.farm/
Telegram Announcements: https://t.me/voidfarm_announcements
Telegram English Chat: https://t.me/voidfarm_en
Telegram Spanish Chat: https://t.me/voidfarm_es
Twitter: https://twitter.com/VoidFarm
Medium: https://voidfarm.medium.com/
GitBook: https://voidfarm.gitbook.io/void-farm/
GitHub: https://github.com/voidfarm
