Last updated:
BaseBros Fi, a decentralized finance (DeFi) yield optimization protocol operating on the Base blockchain, has abruptly disappeared, leaving users without access to their investments.
On September 13, 2024, the project’s website, social media presence on X, and Telegram were all deleted. Investigations revealed that the project exploited an unaudited smart contract, which allowed it to drain users’ funds.
This unaudited contract allowed the project’s operators to withdraw assets from what was referred to as the “Strategy Contract.”
The result was the rapid draining of multiple investment pools. The attackers funneled approximately $130,000 worth of stolen funds through Tornado Cash, a crypto-mixing service known for obfuscating transaction origins.
BaseBros DeFi Protocol, $130K Stolen: How Do They Execute The Rug Pull?
The rug pull orchestrated by BaseBros shocked everyone, which included 2,000 followers on X and more than 3,300 members on Telegram.
Before its vanishing act, the DeFi project had actively promoted its yield optimization features and promised high returns on the Base blockchain.
Chain Audits, which had previously audited parts of BaseBros’ operation, clarified that while four of the project’s contracts had passed inspection, the Vault contract—the critical element in the theft—had not been included in their audit scope.
This omission left the door open for the exploit, as the unaudited Vault contract contained a hidden backdoor, allowing BaseBros to manipulate the system and transfer user funds out of the platform.
The mislabeling of the contracts further added to the confusion, initially leading some to believe that the Seamless protocol, another DeFi project on the Base blockchain, had also been compromised.
However, upon further investigation, it was determined that Seamless was unaffected by the attack.
According to Cyvers, a blockchain investigator, the confusion arose from similar contract titles used by BaseBros, which led to the false assumption that Seamless was involved.
Despite the proximity in timing and labeling, both Chain Audits and Seamless confirmed that only BaseBros had suffered a breach, with the latter’s contracts and user funds remaining intact.
Blockchain security firms such as Cyvers tracked the movement of the stolen assets. They revealed that the perpetrators bridged the funds to the Ethereum network before funneling them into Tornado Cash.
Users, particularly those newer to decentralized finance, were once again reminded of the inherent risks of investing in crypto.
The lure of high returns often blinds investors to potential security flaws and even scammy aspects of these systems.
Blockchain security firms have urged users to exercise extreme caution when engaging with DeFi projects, particularly those without completed and verified audits.
While this type of scam is not new, many rug pulls happen daily on open blockchains like Solana.
Rug pulls and related scams totaled over $765 million last year. The market faced $1.7 billion in cryptocurrency theft by malicious individuals, and rug pulls constituted a substantial portion of the losses.
The most popular form involves tokens that live for less than a day, often referred to as one-day rug pulls. These flash-in-the-pan tokens are minted and hyped and then disappear within 24 hours.
For hackers, Crypto exchanges remain prime targets, with multi-million-dollar attacks continuing into 2024. Chainalysis reports a 2.8% rise in hacking attacks this year, and by mid-2024, the total value of stolen cryptocurrencies had already reached $1.58 billion—an 84% increase from 2023.
Japan, once a major player in the crypto world, has been severely impacted by hacks, such as the Mt. Gox and Coincheck breaches, which eroded investor confidence.
Japanese platforms, like bitFlyer, face sophisticated attacks, including phishing, social engineering, and AI-generated scams. Despite all these security challenges, exchanges are also fighting back by collaborating with law enforcement, sharing data, and implementing advanced security measures.