Blast Network Amasses $400M in Days Amid Security and Decentralization Concerns
Summary:
The Blast network, a Web3 protocol, has accumulated over $400 million in total value locked (TVL) within four days of its launch. However, concerns about its security and decentralization were raised by Jarrod Watts, a developer relations engineer at Polygon Labs. Watts claims that if an attacker gains control of three out of five team members’ keys in Blast's 3/5 multisig mechanism, they could potentially steal all crypto deposited into contracts. Despite these warnings, the Blast team maintains they follow best practice security protocols similar to other Layer-2 platforms and that keys associated with their contracts are securely stored.
In merely four days subsequent to its inception, blockchain protocol Blast network has amassed over $400 million in total locked-in value (TVL) according to statistics from DeBank, a blockchain analytics platform. Notwithstanding, a thread shared on social media on November 23 by Jarrod Watts, a developer relations engineer at Polygon Labs, insinuated that the novel network may present grave security hazards due to its centralization. Responding to this allegation not directly mentioning Watts' thread, Blast defended its position through its own social media account (formerly known as Twitter), stating its network decentralization parallels other layer-2s like Optimism, Arbitrum, and Polygon.
As stated by its promotional documents, Blast network positions itself as the solitary Ethereum L2 providing native yield for both ETH and stablecoins. According to the official website, users’ balances on Blast experience automatic compounding and stablecoins sent into the platform are converted into USDB, a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. While the technical processes of the protocol are yet to be disclosed by the Blast team, the team has indicated that they will be available when the airdrop event takes place in January. Since its introduction on Nov. 20, Blast's TVL has skyrocketed from nil to over $400 million within just four days.
Watts highlighted in his original post that Blast might be less secure or decentralized than users might reckon, expressing concerns over the potential vulnerability of the 3/5 multisig mechanism to security breaches. In his theory, an adversary who acquires control of three out of five team members' keys can potentially steal all crypto deposited into its contracts.
Watts explains that Blast contracts can be modified via a Safe (previously Gnosis Safe) multi-signature wallet account which mandates a minimum of three of the five signatures to authorize any transaction. A potential security lapse occurs if the private keys generating these signatures are compromised, then the contracts could be manipulated to generate custom code desired by the attacker. In such an instance, the attacker could theoretically transfer the entire $400 million TVL into their personal account.
Moreover, Watts asserts that despite its declarations, Blast does not qualify as a genuine layer 2 but merely accepts and stakes users' funds into protocols like LIDO without utilising any actual bridge or testnet for these transactions. Watts further criticises the absence of a withdrawal function in the platform, leaving users reliant on the developers to later incorporate this feature. Watts also identifies an "enableTransition" function in Blast that could allow an attacker to set any smart contract as the “mainnetBridge,” making it possible to drain the entirety of users’ funds without needing to tweak contract settings.
Despite these potential attack risks, Watts has expressed his doubt that Blast will suffer from funds misappropriation, advising caution to those considering sending funds to Blast in its prevailing state. In a response thread from its own social media account, the Blast team have assured their protocol's security is on par with other layer-2 platforms, suggesting that while non-upgradeable contracts may appear safer, they are more problematic if containing bugs. The Blast team justifies the use of upgradeable contracts and reassures the relevant keys for the Safe account are securely managed in cold storage by an independent custodian, with a geographical dispersion for added security.
The critique of upgradeable contracts is not unique to Blast as the Stargate bridge was also targeted for similar issues by James Prestwich, the founder of Summa, in January. The Ankr protocol also fell victim to manipulation, when their smart contract was debated allowing the creation of 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) from nothing after unauthorized access to the developer’s database and retrieval of the deployer key by a former staff member in December, 2022.
Published At
11/24/2023 9:36:59 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.