Web3 protocol Blast network has gained over $400 million in total value locked (TVL) in the four days since it was launched, according to data from blockchain analytics platform DeBank. However, the success of Blast network has not come without controversy. Polygon Labs developer relations engineer Jarrod Watts recently raised concerns about the network’s security risks due to centralization. In response, the Blast team defended their network’s decentralization claims, but the debate about Blast’s security and integrity persists.
Blast network positions itself as “the only Ethereum L2 with native yield for ETH and stablecoins,” according to its official website. The marketing material also highlights Blast’s ability to “auto-compound” users’ balances and convert stablecoins into “USDB” through MakerDAO’s T-Bill protocol. Despite these claims, the Blast team has not released technical documents explaining how the protocol works, leaving many skeptical about its legitimacy.
Watts expressed concerns about Blast’s security and decentralization, stating that it is “just a 3/5 multisig.” This means that if an attacker compromises three out of five team members’ keys, they could potentially steal all the crypto deposited into Blast’s contracts. Watts further explained that Blast’s contracts can be upgraded through a Safe multisignature wallet account, which requires three out of five signatures for any transaction authorization. If the private keys associated with these signatures are compromised, the contracts can be upgraded to execute any code desired by an attacker, allowing them to transfer the entire $400 million TVL to their own account.
Another issue raised by Watts is Blast’s lack of a withdrawal function. Without this function, users must trust that the developers will implement it in the future to access their funds. This dependency on the developers introduces significant risks, as users have no guarantee of when or if they will be able to retrieve their funds.
Watts also pointed out that Blast contains an “enableTransition” function, which can designate any smart contract as the “mainnetBridge.” If an attacker gains control of this function, they could potentially steal all users’ funds without the need for contract upgrades. These vulnerabilities, coupled with the lack of clear technical documentation, raise concerns about Blast’s security and potential for exploitation.
In response to the criticism, the Blast team defended their protocol’s security and decentralization claims. They argue that security exists on a spectrum and that non-upgradeable contracts with bugs can be equally risky. The Blast team claims to use upgradeable contracts to address potential bugs and vulnerabilities. They also emphasize that the keys for the Safe account, which controls contract upgrades, are kept in cold storage and managed by an independent party, adding an additional layer of security.
The Blast team’s use of upgradeable contracts is not an isolated practice, as other layer-2 solutions like Arbitrum, Optimism, and Polygon also employ similar methods. However, it is worth noting that protocols with upgradeable contracts have faced criticism and vulnerabilities in the past. Stargate bridge and Ankr protocol serve as examples where upgradeable contracts led to security breaches and unauthorized creation of tokens. These incidents highlight the potential risks associated with upgradeable contracts and the need for comprehensive security measures.
While Blast network has quickly gained substantial value locked, doubts persist regarding its security and decentralization. The lack of technical documentation and the controversy surrounding centralized control through multisig keys and upgradeable contracts raise valid concerns. Users should carefully evaluate the risks involved before depositing funds into the protocol. The Blast team’s response provides some reassurances, but historical precedents remind us that even seemingly well-designed protocols can be vulnerable. Ultimately, it is crucial for users to exercise caution and make informed decisions about participating in networks like Blast. Only time will tell if Blast network can address these concerns and establish itself as a reliable and secure layer-2 solution in the Web3 ecosystem.
