Blast Blockchain Reaches $400 Million In Locked Assets
- Posted on November 25, 2023 8:41 PM
- Cryptocurrency Exchanges News
- 171 Views
According to the statistics from the blockchain analytics platform DeBank, the Web3 protocol Blast blockchain has accumulated over $400 million in total locked value (TVL) in just four days since its launch. However, in a social media post dated November 23, Jarrod Watts, a developer relations engineer at Polygon Labs, claimed that the new network posed significant security risks due to centralization.
In response to the criticism, the Blast team addressed the concerns through their own Twitter account but did not directly reference Watts' statements. Blast asserted in their statements that the network is as decentralized as other Layer 2s like Optimism, Arbitrum, and Polygon.
On multisig security.
— Blast (@Blast_L2) November 24, 2023
Read this thread to understand the security model of Blast along with other L2s like Arbitrum, Optimism, and Polygon.
According to its official website, the Blast blockchain claims to be the "only Ethereum L2 with native yield for ETH and stablecoins." The website also states that Blast allows users' balances to be "automatically compounded" and stablecoins sent to it are automatically converted into "USDB," a stablecoin automatically compounded through MakerDAO's T-Bill protocol. While the Blast team has not yet published technical documents explaining how the protocol operates, they mention that these will be released during the airdrop scheduled for January.
Watts alleged that Blast has "only 3/5 multisig" structure, suggesting that Blast might be less secure or more centralized than users perceive. He explained that if an attacker were to compromise the keys of three out of five team members, they could potentially steal all the crypto assets deposited into the contracts.
"Blast is just a 3/5 multisig..."
— Jarrod Watts (@jarrodWattsDev) November 23, 2023
I spent the past few days diving into the source code to see if this statement is actually true.
Here's everything I learned:
According to Watts, Blast contracts can be upgraded through a multi-signature wallet account such as Safe (formerly known as Gnosis Safe). The account requires three out of five signatures to authorize any transaction. However, if the private keys generating these signatures are compromised, the contracts can be upgraded to produce any code the attacker desires. This means that an attacker achieving this could transfer the entire $400 million TVL to their account.
Additionally, Watts, despite the development team's claim, argued that Blast is "not a layer 2." Instead, Blast only "accepts funds from users" and "users deposit their funds into protocols like LIDO," and a real bridge or testnet is not used for these transactions. According to Watts, Blast also lacks a withdrawal function. He claimed that users must trust that developers will implement the withdrawal function at some point in the future when they want to withdraw funds.
Watts also claimed that Blast includes an "enableTransition" function that can be used to set any smart contract as "mainnetBridge," allowing an attacker to steal all user funds without the need to upgrade the contract.
Despite all these negative thoughts, Watts expressed that he did not believe Blast would lose its funds. He stated, "Personally, I don't think the funds will be stolen if I had to guess." However, he also warned, "Personally, I think it's risky to send the funds to Blast as it currently stands."
The Blast team, in a message shared on their X account, stated that their protocol is as secure as other layer-2 solutions. The team said, "Security is on a spectrum (nothing is 100% secure) and has many dimensions." The project team concluded their statement by saying, "An unupgradable contract might be considered more secure than an upgradable one, but this view could be incorrect. If a contract is unupgradable but contains bugs, you're dead in the water."
The Blast team claims to use upgradable contracts for this reason. However, the team stated that the keys to the secure account are held in cold storage and managed by an independent party. The keys are geographically separated. The team showed this structure as a highly effective way to protect user funds. L2s like Arbitrum, Optimism, and Polygon also use this method.
Blast is not the only protocol criticized for using upgradable contracts. In January, James Prestwich, the founder of Summa, argued that the Stargate bridge also had the same issue. In December 2022, the Ankr protocol was exploited when its smart contract was upgraded to allow the creation of 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) from scratch. In the Ankr case, the upgrade process was carried out by a former employee who entered the developer database to obtain the distributor key.