According to Cointelegraph, BaseBros Fi, a yield optimization decentralized finance (DeFi) protocol on the Base blockchain, vanished from the internet after allegedly stealing its users’ investments through an unaudited smart contract.

Source: BaseBrosFi

On September 13, BaseBros deleted its official website and social media accounts on X and Telegram. Blockchain security firm Chain Audits, which had previously audited some BaseBros smart contracts, discovered that the DeFi project orchestrated a rug pull via an unaudited and unverified Vault contract. BaseBros had approximately 2,000 followers on X and over 3,300 members on Telegram before its disappearance.

Source: Chain Audits

Chain Audits claimed it had audited four of the five smart contracts used in the BaseBros project. However, the contract that facilitated the rug pull (Vault Contract) was not included in their audit scope nor verified on the blockchain. This unaudited contract contained a backdoor vulnerability, allowing the company owners to withdraw funds deposited into the ‘Strategy’ contract.

Source: Cyvers

The rug pull event was initially wrongly assumed to impact the Seamless protocol due to similar contract labeling. According to blockchain investigator Cyvers, the bad actor siphoned $130,000 worth of stolen funds through the crypto mixing service Tornado Cash. Seamless conducted an internal investigation and declared the protocol and its investors’ funds safe from any attacks. Chain Audits also confirmed that BaseBros Fi was the only protocol affected that lost funds from multiple pools.

Recently, a seasoned hacker appreciated the attacker responsible for DeFi protocol Penpie’s $27 million hack. The Penpie hacker received an on-chain appreciation message from the Euler Finance hacker, who had stolen $195 million in March 2023. The Euler Finance hacker had returned 90% of the stolen funds in return for legal immunity and a 10% reward.