BaseBros Finance Bridge Audited Rug Pull
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
BaseBros Finance promised to launch a bridging service which would improve the user experience when moving between chains for new DeFi users. Four of their five smart contracts were audited by third party auditing service ChainAudits. However, the fifth smart contract was not audited and not even published on the blockchain. This allowed the BaseBros team to drain the smart contract and take all invested funds. ChainAudits has subsequently published a post-mortem. It does not appear that users are likely to get their funds back in this case, however investigation is ongoing.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]
About Base Blockchain
"Base is a secure, low-cost, builder-friendly Ethereum L2 built to bring the next billion users onchain.
Base is incubated within Coinbase and plans to progressively decentralize in the years ahead. We believe that decentralization is critical to creating an open, global cryptoeconomy that is accessible to everyone."
About BaseBros Finance
"The ecosystems surrounding L1 and L2 networks, and other chains are unable to interact with each other efficiently, resulting in poor user and development experiences alongside significant friction such as requiring the knowledge to know which bridge offers the best experience for any specific chain. Base Bros aim to revolutionize this landscape by developing a solution that will create a much smoother, frictionless and intuitive user experience especially for users new to DeFi."
"BaseBros had approximately 2,000 followers on X and over 3,300 members on Telegram"
The Reality
"ChainAudits accepted the BaseBros Fi audit request that included the Brewery, Strategy, FeeManager, and Staking contracts, all of which were later audited by [the ChainAudits] team. The Brewery and Strategy contracts included in the scope were 1:1 forks of Beefy Finance, that the team communicated to have sourced from their public Github repository. The Vault Contract however, which contained the backdoor vulnerability leading to the rug pull, was neither audited by [ChainAudits] nor verified on the blockchain."
What Happened
"The yield-optimizing DeFi protocol BaseBros Fi has vanished after executing a rug pull via an unaudited smart contract."
| Date | Event | Description |
|---|---|---|
| April 19th, 2024 9:14:14 AM MDT | First Archive Capture | The first capture of the BaseBros homepage on the internet archive, with a slogan that "[b]ros will never let you go broke". |
| September 4th, 2024 1:07:24 AM MDT | Documentation Capture | The documentation is captured on the internet archive, however this does not appear to load any information. |
| September 4th, 2024 7:45:00 AM MDT | BaseBros Finance Audit Completed | The BaseBros Finance audit is announced and released by the ChainAudits team. It can be viewed on GitHub. |
| September 11th, 2024 12:24:31 PM MDT | Final Archive Capture | The final capture of the BaseBros homepage on the internet archive. |
| September 12th, 2024 9:22:00 PM MDT | Final Referral Promotion | The BaseBros project promoted itself through a referral program where participants were given links with codes that they could share to promote the project to others to join. The final referral tweet is captured on Twitter. |
| September 13th, 2024 5:57:04 AM MDT | Malicious Smart Contract Deployment | The malicious smart contract involved in the rug pull is deployed. |
| September 13th, 2024 7:04:40 AM MDT | Attack Drains The Funds | The attack transaction which drained the funds in the rug pull. |
| September 13th, 2024 11:24:00 AM MDT | Cyvers Initial Tweet | Cyvers posts an alert with an initial tweet that claims the attack was against Seamless Finance, which in fact had not suffered any attack. |
| September 14th, 2024 5:40:00 AM MDT | ChainAudits Incident Report | ChainAudits provides a report about the BaseBros incident on Twitter. |
| September 16th, 2024 2:26:46 PM MDT | VI CRYPTO YouTube Video | A YouTube video by VI CRYPTO covers the incident using an artificial intelligence voice. |
| September 17th, 2024 6:51:53 AM MDT | NerdBunny YouTube Video | NerdBunny posts a YouTube short video about the incident on YouTube. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $130,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"This morning, several security parties flagged suspicious transactions.
@SeamlessFi was not exploited.
@ChainAudits_io will publish a post-mortem. All further details will come from their official comms."
"On Sept. 13, BaseBros deleted its official website and social media accounts on X and Telegram. Blockchain security firm Chain Audits, who had previously audited some BaseBros smart contracts, found that the DeFi project orchestrated a rug pull via “an unaudited and unverified Vault contract.”"
"On 13.09.2024, BaseBros Fi on the Base blockchain deleted their entire social presence, including all accounts and messages, after gaining control of and draining ecosystem funds through an unaudited and unverified Vault contract. Our blockchain security company, ChainAudits, had audited 4 out of the 5 key smart contracts used in the project. Unfortunately, the contract that facilitated the rug pull (Vault Contract) was not included in our audit scope, nor is it verified on the blockchain."
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://web.archive.org/web/20240916181825/https://hacked.slowmist.io/ (Accessed Oct 15, 2024)
- ↑ https://cointelegraph.com/news/basebros-fi-defi-rug-pull-smart-contract-base (Accessed Oct 21, 2024)
- ↑ @BaseBrosFi Twitter (Accessed Oct 21, 2024)
- ↑ Projects/2024/BaseBrosFi/ChainAudits_PostMortem_BaseBros_Rug_Post_Mortem.pdf at main · ChainAudits/Projects · GitHub (Accessed Oct 21, 2024)
- ↑ Base (Accessed Oct 21, 2024)
- ↑ About Base | Base (Accessed Oct 21, 2024)
- ↑ BaseBros (Accessed Oct 21, 2024)
- ↑ - YouTube (Accessed Oct 21, 2024)
- ↑ - YouTube (Accessed Oct 21, 2024)
- ↑ GitBook (Accessed Oct 21, 2024)
- ↑ @AerodromeFi Twitter (Accessed Oct 21, 2024)
- ↑ @HalagaTomas Twitter (Accessed Oct 21, 2024)
- ↑ @Austin_XX Twitter (Accessed Oct 21, 2024)
- ↑ @AnHoang98181289 Twitter (Accessed Oct 21, 2024)
- ↑ @shenqimumu Twitter (Accessed Oct 21, 2024)
- ↑ @shivani8630 Twitter (Accessed Oct 21, 2024)
- ↑ @CyversAlerts Twitter (Accessed Oct 21, 2024)