A DeFi protocol operating on the Base blockchain, BaseBros Fi just vanished after allegedly stealing user funds through an unaudited smart contract.
The project disappeared from the internet, deleting its official website and social media accounts on X and Telegram.
Unaudited smart contract, DeFi’s biggest insider threat
Blockchain security firm Chain Audits, which had previously audited some of BaseBros’ smart contracts, later discovered that the project executed a rug pull using an unaudited and unverified Vault contract.
Before its disappearance, BaseBros collected around 2,000 followers on X and over 3,300 members on Telegram.
https://twitter.com/BaseBrosFi
Chain Audits reported that they had reviewed four out of five smart contracts used by BaseBros, but unfortunately, the contract that enabled the rug pull wasn’t part of their audit.
This unaudited contract had a likely intentional backdoor vulnerability, allowing the owners of BaseBros to withdraw funds from the ‘Strategy’ contract.
Multiple protocols affected?
After the event, there was confusion about whether the rug pull affected the Seamless protocol due to similar contract names.
Cyvers revealed that the attacker stole approximately $130,000 by using the crypto mixing service Tornado Cash, but following this, Seamless did an internal review and confirmed that its protocol and investors’ funds were safe from any threats.
Chain Audits also verified that BaseBros Fi was the only protocol impacted.
🚨ALERT🚨Our system flagged a suspicious transaction involving @SeamlessFi on the #BASE network earlier today.
A malicious contract was deployed on 13.09.2024 at 11:57:04 UTC, and a hack was executed just minutes later at 13:04:40 UTC.
The attacker bridged approximately $130K in… https://t.co/mbDXb3Ku9D pic.twitter.com/1JtLWmXg7w— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 13, 2024
Unfortunately the rug pulls are pretty common in DeFi
This incident highlights again the risks in the DeFi space, because unaudited contracts can lead to painful losses for investors.
And sometimes, they even get attention too. A hacker who had successfully stolen $27 million from the DeFi protocol Penpie received praise from another hacker known for a $195 million hack of Euler Finance in March last year.
The Penpie hacker was congratulated for keeping all the stolen money and not allowing the victims to recover any of it.
Maybe the BaseBros rug pull will be a good reminder again, and it will prompt investors to be more cautious and demand greater transparency and security audits in the DeFi sector. But the promises about huge yields are always tempting.
