BaseBros Fi, a decentralized finance yield optimization protocol built on the Base blockchain, has disappeared, leaving its investors in a difficult situation.
According to ChainAudits, the project suddenly disappeared on September 13, deleting its website and all social media accounts on platforms like X and Telegram.
According to Cyvers on X, the disappearance is being treated as a rug-pulling incident that has left investors unable to recover funds totaling over $130,000.
Carpet pulling details
The rug-pulling operation was facilitated through an unaudited smart contract, a self-executing piece of code used to manage transactions and strategies on decentralized finance platforms. In this case, the contract contained a “backdoor” that allowed the BaseBros team to embezzle funds deposited by users.
Source: BaseBro’s deleted X profile
Smart contracts are often central to decentralized finance platforms because they automate complex financial transactions without the need for intermediaries like banks. However, unregulated smart contracts can be vulnerable to exploitation and make investor funds more vulnerable to theft.
Chain Audits had previously examined some of BaseBros’ smart contracts. Chain Audits confirmed that the specific contract responsible for the theft, known as the “Vault Contract,” was not part of their previous audits and had not been verified on the blockchain. The vulnerability allowed the BaseBros team to siphon user deposits from the project’s “Strategy” contract and steal the funds without triggering security alarms.
At the time of the rug pull, BaseBros Fi had gained a significant following, with over 2,000 users on X and over 3,300 members on Telegram. The sudden disappearance shocked the community, who lost access not only to their investments but also to all communication channels with the project team.
According to Cyvers, the BaseBros attackers transferred the stolen $130,000 via Tornado Cash (TORN), a crypto mixing service designed to obscure the transaction trail. The use of Tornado Cash has become common in DeFi attacks, making it difficult to track the stolen funds.
In July, the ETHTrustFund project on the Base network was completely shut down, causing investors to lose $2 million as developers moved funds to a new wallet and went silent. Some of the stolen Ethereum (ETH) was laundered through Tornado Cash.