BaseBros DeFi project enacts rug pull, steals over $130k
BaseBros Fi, a decentralized finance yield optimization protocol built on the Base blockchain, has vanished, presumably rug-pulling its investors.
According to ChainAudits, the project abruptly disappeared on September 13, deleting its website and all social media accounts on platforms like X and Telegram.
This disappearance is being pegged as a rug pull, leaving investors unable to recover their funds, which totaled over $130,000, according to Cyvers on X.
Rug pull details
The rug pull was facilitated through an unaudited smart contract—a piece of self-executing code used in decentralized finance platforms to manage transactions and strategies. In this case, the contract contained a “backdoor” that allowed the BaseBros team to siphon off funds deposited by users.
Smart contracts are often central to decentralized finance platforms because they automate complex financial operations without the need for intermediaries like banks. However, unaudited smart contracts can be vulnerable to exploits, making investor funds more susceptible to theft.
Chain Audits had previously examined some of BaseBros’ smart contracts. Chain Audits confirmed that the specific contract responsible for the theft, known as the “Vault Contract,” was not part of its earlier audit and had not been verified on the blockchain. This vulnerability enabled the BaseBros team to drain user deposits from the project’s “Strategy” contract, stealing the funds without triggering security alarms.
At the time of the rug pull, BaseBros Fi had gained a notable following, with over 2,000 users on X and more than 3,300 members on Telegram. The sudden disappearance shocked the community, who lost access not only to their investments but also to any communication channels with the project team.
According to Cyvers, the BaseBros attackers funneled the stolen $130,000 through Tornado Cash (TORN), a crypto-mixing service designed to obscure the transaction trail. The use of Tornado Cash has become common in DeFi hacks, making it difficult to trace stolen funds.
In July, the ETHTrustFund project on the Base network was rug-pulled, resulting in $2 million in investor losses as developers moved the funds to a new wallet and went silent. Some of the stolen Ethereum (ETH) was laundered through Tornado Cash.