BaseBros Fi, a decentralized finance (DeFi) protocol on the Base blockchain, vanished from the internet after using an unaudited smart contract to steal its users’ investments.
On September 13, BaseBros deleted its official website and social media accounts on X and Telegram. The blockchain security firm Chain Audits, which had previously audited some of BaseBros’ smart contracts, discovered that the DeFi project executed a rug pull through an unaudited and unverified Vault contract.
Prior to its disappearance, BaseBros had around 2,000 followers on X and over 3,300 members on Telegram.
Chain Audits stated that it had audited four out of the five smart contracts utilized in the BaseBros project. They revealed that the unaudited contract contained a backdoor vulnerability, enabling the company owners to withdraw funds deposited into the “Strategy” contract.
Initially, the rug pull event was mistakenly assumed to affect the Seamless protocol due to similar contract labeling. However, an investigation conducted by blockchain investigator Cyvers revealed that the bad actor funneled $130,000 worth of stolen funds through the crypto mixing service Tornado Cash.
Seamless performed an internal investigation and assured that the protocol and its investors’ funds were safe from any attacks. Chain Audits also confirmed that only the BaseBros Fi protocol was affected and suffered losses from multiple pools.
In a related incident, the attacker responsible for the $27 million hack on the DeFi protocol Penpie received appreciation from a seasoned hacker. This hacker, known for stealing $195 million in March 2023, sent an onchain message expressing admiration for the Penpie hacker. The Euler Finance hacker had returned 90% of the stolen funds in exchange for legal immunity and a 10% reward.
There is a proposed change that could potentially save Ethereum from a problematic L2 roadmap.