BaseBros Fi, a yield optimization project on the Base blockchain, has vanished from the internet after allegedly executing a rug pull, leaving investors in disarray. On September 13, the project’s official website and social media channels on X and Telegram were deleted, suggesting an abrupt exit. The rug pull was linked to an unaudited and unverified Vault contract, according to blockchain security firm Chain Audits.
Before its sudden disappearance, BaseBros had garnered around 2,000 followers on X and more than 3,300 members on Telegram. Chain Audits clarified that while it had reviewed four of the five smart contracts used by BaseBros, the Vault contract—the one used for the rug pull—was not included in its audit scope. This unverified contract had a backdoor vulnerability, allowing its creators to drain funds deposited into a “Strategy” contract.
The rug pull initially raised concerns about the Seamless protocol, due to similar contract labeling. However, an investigation by Seamless and the blockchain analyst Cyvers confirmed that only BaseBros was affected, with $130,000 funneled through the crypto mixer Tornado Cash.
Meanwhile, the recent $27 million Penpie hack drew praise from a notorious hacker behind the $195 million Euler Finance breach. In an onchain message, the Euler hacker commended the Penpie attacker, despite the fact that they had previously returned 90% of their own stolen funds in exchange for legal immunity.
The incident highlights the ongoing risks within the DeFi sector, especially when dealing with unaudited contracts.