BaseBros Fi, a yield optimization decentralized finance (DeFi) protocol on Base blockchain, disappeared from the internet after stealing its users’ investments through an unaudited smart contract.
On Sept. 13, BaseBros deleted its official website and social media accounts on X and Telegram. Blockchain security firm Chain Audits, who had previously audited some BaseBros smart contracts, found that the DeFi project orchestrated a rug pull via “an unaudited and unverified Vault contract.”
BaseBros had approximately 2,000 followers on X and over 3,300 members on Telegram right before its disappearance.
Vulnerable smart contract went audited
ChainAudits claimed it had audited four of the five smart contracts used in the BaseBros project and added:
“Unfortunately the contract that facilitated the rug pull (Vault Contract) was not included in our audit scope, nor is verified on the blockchain.”
The unaudited contract contained a backdoor vulnerability, allowing the company owners to withdraw funds deposited into the “Strategy” contract.
BaseBros rug pull had no impact on the Seamless protocol
The rug pull event was initially wrongly assumed to impact the Seamless protocol due to similar contract labeling. According to blockchain investigator Cyvers, the bad actor siphoned $130,000 worth of stolen funds through the crypto mixing service Tornado Cash.
Seamless conducted an internal investigation and declared the protocol and its investors’ funds safe from any attacks. Chain Audits also confirmed that BaseBro Fi was the only protocol affected that lost funds from multiple pools.
Related: Indonesian crypto exchange Indodax goes offline after suspected $22M hack
Recently, a seasoned hacker appreciated the attacker responsible for DeFi protocol Penpie’s $27 million hack.
The Penpie hacker received an onchain appreciation message from the Euler Finance hacker, who had stolen $195 million in March 2023.
“Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job.”
However, the Euler Finance hacker had returned 90% of the stolen funds in return for legal immunity and a 10% reward.
Magazine: Proposed change could save Ethereum from L2 ‘roadmap to hell’