BaseBros Fi Disappears After $130,000 Rug Pull: DeFi Protocol Collapse

BaseBros Fi: A Disappearing Act

BaseBros Fi, a decentralized finance (DeFi) protocol on the Base blockchain, vanished from the internet on September 13. The project, which focused on yield optimization, reportedly stole users’ investments through an unaudited smart contract. The official website and social media accounts on X and Telegram were deleted following the incident.

Details of the Rug Pull

Blockchain security firm Chain Audits, which had previously audited some of BaseBros Fi’s smart contracts, revealed that the protocol executed a rug pull using an unaudited Vault contract. Chain Audits had examined four out of five smart contracts used by BaseBros Fi, but the critical contract involved in the theft was not included in their audit scope. The unaudited contract had a backdoor vulnerability, allowing the perpetrators to withdraw funds from the ‘Strategy’ contract.

Impact and Misconceptions

Initially, there was confusion about whether the rug pull affected the Seamless protocol due to similar contract labeling. However, blockchain investigator Cyvers clarified that the stolen funds, amounting to $130,000, were funneled through the crypto mixing service Tornado Cash. Seamless conducted an internal investigation and confirmed that their protocol and investor funds were safe from this attack.

Chain Audits’ Findings and Reactions

Chain Audits confirmed that BaseBros Fi was the only protocol affected by this rug pull, which led to losses from multiple pools. The incident underscores the risks associated with unaudited and unverified smart contracts in the DeFi space.

FAQs