Data from blockchain analytics company DeBank shows that in the four days since its inception, the Web3 protocol Blast network has gained almost $400 million in total value locked (TVL). However, Polygon Labs developer relations engineer Jarrod Watts asserted in a social media discussion on November 23 that the new network’s centralization presents serious security vulnerabilities.
Using its own X (formerly Twitter) account, the Blast team addressed the criticism without specifically mentioning Watts’ thread. Blast asserted in a separate discussion that the network is just as decentralised as other layer 2s, such as Polygon, Arbitrum, and Optimism.
Marketing materials from Blast Network’s official website state that it is “the only Ethereum L2 with native yield for ETH and stablecoins.” Additionally, according to the website, stablecoins supplied to Blast are turned into “USDB,” a stablecoin that automatically compounds using MakerDAO’s T-Bill protocol, and Blast enables users to “auto-compounded” their balances. Technical documentation outlining the protocol’s operation have not yet been made public by the Blast team, but they are scheduled to be disseminated in conjunction with the airdrop in January.
In his initial post, Watts said that Blast “is just a 3/5 multisig,” implying that it may be less safe or decentralised than users think. According to him, an attacker can take out all the cryptocurrency deposited into a team’s contracts if they manage to seize the keys of three of the five team members.
Watts claims that a multisignature wallet account called Safe (formerly known as Gnosis Safe) can be used to upgrade the Blast contracts. To approve a transaction, the account needs three of the five signatures. However, the contracts may be modified to generate any code the attacker wants if the private keys that generate these signatures are compromised. This implies that if an attacker is successful, they could move all $400 million TVL to their personal account.
Furthermore, Watts asserted that although Blast’s development team claimed otherwise, Blast “is not a layer 2.” Instead, he claimed that Blast does not actually employ a testnet or bridge to carry out these transactions—rather, it only “accepts funds from users” and “stakes users’ funds into protocols like LIDO.” Moreover, it lacks a withdrawal feature. According to Watts, customers will need to have faith that the developers will eventually include a withdrawal feature if they want to be able to do so in the future.
In addition, according to Watts, Blast has a feature called “enableTransition” that allows any smart contract to be configured as the “mainnetBridge,” meaning that an attacker could take all of the customers’ money without having to update the contract.
Watts stated that, in spite of these attack routes, he did not think Blast would lose its money. “If I had to speculate, I don’t think the money will be stolen,” he said. “I personally think it’s risky to send Blast funds in its current state,” he said, however, as a warning.
The Blast team claimed that their protocol is just as safe as other layer-2s in a forum posted from its own X account. Nothing is 100% safe, according to the team, and security is a spectrum that has numerous facets. A contract that cannot be upgraded could appear to be less secure than one that can, however this perception is not always accurate. “You are dead in the water” if a contract isn’t upgradeable but has issues, the post said.
According to the Blast team, this is the exact reason the protocol makes use of upgradeable contracts. But the Safe account’s keys are “managed by an independent party, geographically separated, and kept in cold storage.” This is a “very effective” way to protect user finances, according to the team, which is “why L2s like Arbitrum, Optimism [and] Polygon” also employ it.
Not just Blast has faced criticism for having contracts that can be upgraded. James Prestwich, the inventor of Summa, claimed in January that the Stargate bridge had the same issue. Ankr protocol was abused in December 2022 when an update to its smart contract made it possible to construct 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) arbitrarily. Ankr’s upgrade was carried out by a former employee who gained access to the deployer key by breaking into the developer’s database.