WIKI
Donate

An open letter to Galaxy Finance

DISCLAIMER: RugDoc has already gone through great lengths to inform the community of the risks in this staking contract. Any issue or exploit description in this post should in no way, shape or form be seen as advice to the relevant project to abuse this governance privilege. This post is for educational purposes and for the project to fix these issues only.

Dear Galaxy Finance,

Thank you for taking the time to look through our updated findings. Our mission and risk ratings are specifically based on hard-rug risk. This means that even if your project has good intentions, if the (usually anonymous and unknown) team can take out user funds, we mark the project as high-risk. This is a very simple rule but for ourselves and many among our community who have been rugged many times over before we learned about RugDoc, it has been highly profitable to take this rating into consideration. Of course it is not the only parameter that constitutes risk and should not be used in isolation. These other parameters also often determine whether we announce updates like this on Twitter and Telegram, something which we decided not to do in your case.

However, your project does have the exact hard-rug risk our whole mission is built around. First, notice the add function which allows you to add any LP pair as a pool. This could even be an LP pair consisting of two different LP pairs.

Now notice how during your compounding schedule, the router receives infinite approval to take out both tokens of the LP pair.

Given that your swap router can be upgraded to a malicious contract, this therefore allows a hard-rug of all staked funds.

Finally, let’s take a quick look at the weird emergencyWithdraw logic:

Here is a short list of some of the ways we found governance can prevent all withdrawals and emergency withdrawals. Once withdrawals are blocked, governance can just queue the rug transactions in the TimeLock.

  1. updateEmissionRate(type(uint256).max): UpdatePool or pending will revert due to overflow.
  2. safeTokenTransfer(feeAddress, pending): the operator of the TRITON token can include the MasterChef in anti-whale and set the anti-whale limit extremely low making this section always revert emergency withdrawals. Since the TRITON operator is an EOA, funds can be locked in at any moment and governance can take their sweet-sweet time to hard-rug all tokens.
  3. setFeeAddress(address newFeeAddress): The feeAddress on the token can be set to address(0) to revert all token transfers. This can be done instantly since the TRITON operator is an EOA (a wallet) and governance can again take their sweet-sweet time to hard-rug all tokens.

Emergency withdraw is a safe-haven for many investors. The function is so simple it almost never breaks unless there is hard-rug code. Making modifications like this that can result in all funds being locked is dangerous for user funds in case the project ever turns malicious and it is therefore in line with our mission to rate these changes as high-risk.

In case this is an honest mistake, you could consider moving to a safer version of the MasterChef, taking community safety into greater consideration.

To all users: As this open letter describes the project has the ability to lock in all funds at any point in time without having to go through TimeLock. Afterwards, the project can take as much time as they want to update the router to execute the hard-rug vector.  The TimeLock is irrelevant. Although the project does look promising, this should be taken in consideration in your decision making process.

Official Partners

BNBchain856
bubblemapsrdbig
Popular Links
Resources
For Farm Owners
Telegram Youtube Twitter Discord

Disclaimer: This is done with our best knowledge and effort, nothing can be known for certain – always DYOR and risk management. This is NOT financial advice. Use the information presented here to inform your own decisions. Referral links may be included on any outbound link.

Search

  • How can I request for an update to my review?

🟢 For owners who have made impactful changes and would like an update to their farm review:

1️⃣ Use #update at @RugDocChat with your description and proof of changes and it will be forwarded to our scanners.

2️⃣ This does not guarantee a change in your review.

3️⃣ Owners who have difficulty solving the issues can consider our Consultation Package – please contact @BaymaxCrypto on Telegram to discuss.

  • What do the risk ratings mean?

Our mission here at RugDoc is to screen for hard rug code that results in 100% theft of ALL underlying funds for ALL participants.

This is the ONE part of the due diligence process that most people cannot simply do on their own as it costs thousands of dollars to hire a senior solidity developer to look over a farm for safety.

A project coin with terrible code can go up in price, and a project with good code and a good team can also go down in price.

Do NOT use our ratings to refer to your likelihood in making money if you invest in the project. They are ONLY in reference to code safety.

Everything else beyond code safety is YOUR responsibility to go do research on. We just make sure the casino you’re betting in won’t rob you before you even get to place a bet.

Our reviews for projects are organized into a few colors.

🟢 Least Risk
These projects are the least likely to hard or soft rug. Usually reserved for cornerstone projects of an ecosystem where it makes no financial sense for them to rug in any manner as they make more money just being legit.

🔵 Low Risk
These projects are usually established projects in an ecosystem that have a track record of success or have KYC’d to us or other authoritative sources in the real world. As a result, it is extremely unlikely for them to soft rug or hard rug their projects. The projects can still fail and the token price can go down, but usually more as a result of natural market forces.

⚪️ Some Risk
This is the default rating for projects with unknown teams but have code that is unlikely to have hard rug risk. Since the team is unknown and doesn’t have a track record of success, it’s entirely possible that they may try to soft rug by dumping tokens, abandoning the project, etc. Even a last minute contract swap to a malicious contract is possible. The only thing that is unlikely is a complete hard rug as long as you are 100% sure you deposit into the contract we review.

🟠 Medium Risk
Similar to Some Risk, but the underlying code itself is custom enough or complex enough that it warrants an elevated risk rating that needs deeper research. Make sure you read every point presented to make sure you’re comfortable with that before entering. Still unlikely to hard rug, but more chances of custom code behaving incorrectly and causing other issues.

🔴 High Risk
Project contains code or practices that are HIGHLY LIKELY to lead to catastrophic losses as they are right now. Make sure you read the description carefully as we will always warn what these issues are. If you see the words Hard Rug anywhere in the review, STAY FAR AWAY!

⚫️ Not Eligible
We reserve the right to not review exceedingly complex projects that would require tens of thousands of dollars of senior security analyst man hours. Typically these are projects that deal with leverage, lending, options, derivatives, and anything that is overly complex and which requires tons of peer reviews and audits from top audit companies.