Key Takeaways
- Blockchain security firm Chain Audits revealed that the rug pull was orchestrated through an unaudited and unverified “Vault” contract
- The attacker reportedly laundered approximately $130,000 worth of stolen funds through Tornado Cash
BaseBros Fi, a decentralized finance (DeFi) yield optimization protocol on the Base blockchain, abruptly disappeared on September 13, taking with it users’ investments. Without warning, the project’s website was wiped, and its social media accounts on X (formerly Twitter) and Telegram were deleted. Investors were left with significant financial losses and no explanation from the team behind BaseBros.
Blockchain security firm Chain Audits revealed that the rug pull was orchestrated through an unaudited and unverified “Vault” contract, which had not been part of their original security review. Although Chain Audits had audited four out of the five smart contracts BaseBros used, the contract responsible for the theft contained a hidden backdoor. This allowed the project’s owners to siphon user funds deposited in a separate “Strategy” contract.
The rug pull led to confusion initially, as it was mistakenly thought to have affected another protocol, Seamless, due to the similarities in contract labeling. However, blockchain investigator Cyvers confirmed that the attack was limited to BaseBros.
According to Cyvers, the attacker laundered approximately $130,000 worth of stolen funds through cryptocurrency mixer- Tornado Cash. Seamless, which was briefly suspected of being involved, conducted an internal investigation and declared that both its protocol and its investors were unaffected. Chain Audits further confirmed that BaseBros Fi was the sole platform impacted by the breach, which drained multiple pools of user funds.
The latest development also brings into the spotlight the increasing phenomenon of hackers leveraging crypto mixers to launder funds. Crypto Mixers use an algorithmic technique to disguise who each of the coins belongs to, where they came from, and by whom they’ll be withdrawn.
In July, two wallets linked to the CoinStats exploit also transferred 311 ETH to Tornado Cash. Earlier this year, the hacker behind the $25 million breach at Kronos Research transferred another $2.6 million worth of Ether to Tornado Cash.