BaseBros Fi, a yield-optimizing DeFi protocol on the Base blockchain, has vanished from the internet after stealing user investments through an unaudited smart contract, Cointelegraph reported.
On September 13, BaseBros deleted its official website and social media accounts on X and Telegram. Blockchain security firm Chain Audits discovered that the DeFi project orchestrated a rug pull through an “unaudited and unverified Vault contract.”
BaseBros had around 2,000 followers on X and more than 3,300 members on Telegram before disappearing.
Chain Audits claims it audited four of the five smart contracts used by the BaseBros project, adding: “Unfortunately, the contract that facilitates the Rug Pull (the Vault contract) was not in the scope of our audit and was not verified on the blockchain.”
The unaudited contract contained a backdoor vulnerability that allowed the company's owners to withdraw funds deposited into the "Strategy" contract.
The Rug Pull incident was initially mistakenly attributed to the Seamless protocol. Blockchain investigator Cyvers said the attackers moved $130,000 worth of stolen funds through the Tornado Cash crypto mixing service.
Seamless conducted an internal investigation and announced that the protocol and its investor funds had not been compromised in any way. Chain Audits also confirmed that BaseBros Fi was the only affected protocol, with funds from multiple pools stolen.