One of the greatest dangers of yield farming is the possibility of a rugpull. Think of a farm as a safe you put your money into. Vectors for a hard rug (like a migrator in the smart contract) is like having a safe where the manufacturer of that safe has the combination (in our case of course this would be the developer), they would be able to walk right up to your safe and take out 100% of the money you put into the safe. Leaving you with the trust you have in them as your only line of defense.
Now, what does that mean? A farm is nothing but a smart contract. When you interact with a farm, all you are doing is interacting with the code of said smart contract. A malicious developer has the full ownership of said smart contract (unless they renounce it but more on that later). This means they can give themselves access to all of your assets and potentially move 100% of them at once. So what a timelock does is have them wait before taking access to the assets or some other parts of the code. Now a project that isn't at risk of being rug pulled to begin with doesn't even need a timelock so you shouldn't trust a project just because it has a timelock on it, it is just another layer of security. Also, the developer can back up the keys before placing them in a timelock so that would be just the same as it not having one to begin with.
Don't Take Their Word For It
Another way a developer can be sneaky is by setting a low timer on their timelock, say 2 hours. Or they can redeploy their smart contract without a timelock at all. But no worries, we can verify this thanks to the public nature of the blockchain. For this I am going to use an example of poolsar which is a relatively new farm I found and am only using for illustrative purposes (note that this is on the matic network but pretty much the same procedure on BSC). So first thing is first, we need to get the contract address, I good way of making sure I have the right address is as follows:
1: Go to anywhere you see "Approve Contract" in this example I will use USDT:
2: When metamask opens up, don't click on "confirm", rather click on "View full transaction details" and scroll to the bottom:
after the zeros and before the "f"s is where you will find the actual contract address you are dealing with.
3: Copy the address and look it up on polygonscan (or bscscan for BSC farms) prefixing what you copied with "0x":
4: Now head over to the tab that says "contract" then to the option that says "read contract":
5: Scroll down or hit ctrl+f to find the "owner":
6: Open that address up in an explorer, note this should be a timelock address:
7: Head over to "read contract" once again and search for "delay":
This will be in seconds. Let's convert them to hours:
So we now see that in fact this farm has a timelock of 48 hours.