Web3 protocol Blast network has acquired over $400 million as a whole value locked (TVL) within the four days because it premiered, based on data from blockchain analytics platform DeBank. However in a November. 23 social networking thread, Polygon Labs developer relations engineer Jarrod Watts claimed the new network poses significant security risks because of centralization.
The Blast team taken care of immediately the critique from the own X (formerly Twitter) account, but without directly talking about Watts’ thread. In the own thread, Blast claimed the network is really as decentralized as other layer 2s, including Optimism, Arbitrum and Polygon.
On multisig security.
Look at this thread to know the safety type of Blast as well as other L2s like Arbitrum, Optimism, and Polygon.
— Blast (@Blast_L2) November 24, 2023
Blast network states be “the only Ethereum L2 with native yield for ETH and stablecoins,” based on marketing material from the official website. The web site also claims that Blast enables a user’s good balance to be “auto-compounded” which stablecoins delivered to it are changed into “USDB,” a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. The Blast team hasn’t released technical documents explaining the way the protocol works, however it states they’ll be printed once the airdrop happens in The month of january.
Watts’ original publish stated Blast might be less secure or decentralized than users realize, claiming that Blast “is only a 3/5 multisig.” If the attacker will get charge of three from five team members’ keys, they are able to steal all the crypto deposited into its contracts, he alleged.
“Blast is simply a 3/5 multisig…”
I spent yesteryear couple of days diving in to the source code to find out if this statement is really true.
Here’s everything I learned:
— Jarrod Watts (@jarrodWattsDev) November 23, 2023
Based on Watts, the Blast contracts could be upgraded using a Safe (formerly Gnosis Safe) multisignature wallet account. The account requires three from five signatures to authorize any transaction. However, if the private keys that leave these signatures become compromised, the contracts could be upgraded to create any code the attacker wishes. What this means is an assailant who pulls this off could transfer the whole $400 million TVL to their personal account.
Additionally, Watts claimed that Blast “is not really a layer 2,” despite its team of developers claiming so. Rather, he stated Blast simply “accepts funds from users” and “stakes users’ funds into protocols like LIDO” without any actual bridge or testnet getting used to do these transactions. In addition, it’s no withdrawal function. So that you can withdraw later on, users must trust the developers will implement the withdrawal function at some stage in the long run, Watts claimed.
Furthermore, Watts claimed that Blast contains an “enableTransition” function you can use to create any smart contract because the “mainnetBridge,” meaning an assailant could steal the whole of users’ funds without requiring to upgrade anything.
Despite these attack vectors, Watts claimed he didn’t believe Blast would lose its funds. “Personally, if I needed to guess, I do not think the funds is going to be stolen,” he mentioned. But also, he cautioned that “I personally think it’s dangerous to transmit Blast funds in the current condition.”
Inside a thread from the own X account, the Blast team mentioned that it is protocol is equally as safe as other layer-2s. “Security exists on the spectrum (there is nothing 100% secure),” they claimed, “and it’s nuanced with lots of dimensions.” It might appear that the non-upgradeable contract is much more secure than an upgradeable one, however this view could be mistaken. If your contract is non-upgradeable but contains bugs, “you are dead within the water,” the thread mentioned.
Related: Uniswap DAO debate shows devs still find it difficult to secure mix-chain bridges
The Blast team claims the protocol uses upgradeable contracts with this reason. However, the keys for that Safe account are “in cold storage, managed by a completely independent party, and geographically separated.” Within the team’s view, this can be a “highly effective” way of safeguarding user funds, that is “why L2s like Arbitrum, Optimism [and] Polygon” also employ this process.
Blast isn’t the only protocol that’s been belittled for getting upgradeable contracts. In The month of january, Summa founder James Prestwich contended that the Stargate bridge had exactly the same problem. In December 2022, the Ankr protocol was exploited when it’s good contract was upgraded to permit 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) to become produced from nothing. Within the situation of Ankr, the upgrade was done by an old worker who hacked in to the developer’s database to acquire its deployer key.
