Blast network, a Web3 protocol, has made waves in the crypto industry by accumulating over $400 million in total value locked (TVL) within just four days of its launch. However, amidst the excitement surrounding Blast’s rapid success, Polygon Labs developer relations engineer, Jarrod Watts, voiced significant security concerns regarding the network’s centralization. Watts argued that Blast posed potential risks, raising doubts about its decentralization claims.
In response to the criticism, Blast’s team indirectly addressed Watts’ thread through their X (formerly Twitter) account. They argued that Blast network is as decentralized as other layer 2 solutions, such as Optimism, Arbitrum, and Polygon. The team’s marketing material further emphasizes Blast as “the only Ethereum L2 with native yield for ETH and stablecoins,” offering auto-compounding balance and conversion of stablecoins into “USDB” through MakerDAO’s T-Bill protocol.
Unfortunately, Blast’s team has not released any technical documents detailing the protocol’s inner workings. They have promised to publish these documents in January during the airdrop.
Watts initially pointed out that Blast may not be as secure or decentralized as users perceive it to be. He claimed that Blast is nothing more than a “3/5 multisig.” This means that if an attacker manages to gain control of three out of the five team member’s keys, they would have the ability to steal all the crypto deposited into the protocol’s contracts. Watts explained that Blast’s contracts can be upgraded through a Safe multisignature wallet account, requiring three out of five signatures for authorization. However, if the private keys generating these signatures are compromised, the contracts can be altered to execute any code desired by the attacker. Consequently, an attacker could transfer the entire $400 million TVL into their own account.
Moreover, Watts countered Blast’s claim of being a layer 2 solution. According to him, Blast merely accepts funds from users and stakes them into protocols like LIDO, without utilizing an actual bridge or testnet for these transactions. He also pointed out the absence of a withdrawal function, leaving users reliant on the developers’ promise of implementing it in the future. Highlighting another vulnerability, Watts stated that Blast’s “enableTransition” function can set any smart contract as the “mainnetBridge.” This means an attacker could exploit this function to steal all user funds without needing to upgrade the contract.
While Watts concluded that he does not expect Blast’s funds to be stolen, he cautioned against sending funds to Blast in its current state due to the associated risks.
In their own response, Blast’s team defended the protocol’s security and compared it to other layer-2 solutions. They acknowledged that security is not absolute but rather exists on a spectrum. The team argued that while non-upgradeable contracts may appear more secure, they could contain critical bugs, rendering them ineffective. Therefore, Blast’s protocol employs upgradeable contracts for flexibility. They emphasized that the keys for the Safe account are held in cold storage, managed by an independent party, and geographically separated. According to Blast’s team, this robust security approach is also adopted by other prominent layer-2 solutions like Arbitrum, Optimism, and Polygon.
It’s worth noting that Blast is not the only protocol facing criticism for its upgradeable contracts. In the past, the Stargate bridge and Ankr protocol also encountered similar concerns. While Stargate bridge faced criticism from Summa founder James Prestwich, Ankr protocol’s smart contract was exploited in December 2022, resulting in the creation of trillions of Ankr Reward Bearing Staked BNB (aBNBc) out of thin air. The upgrade in the Ankr protocol was executed by a former employee who gained access to the developer’s database and obtained the deployer key.
As the Blast network gains significant traction in the crypto community, it is crucial to scrutinize its security claims and associated risks. While the project’s team has responded to the concerns raised by the Polygon Labs developer, doubts persist regarding Blast’s true level of decentralization and the potential vulnerabilities stemming from its upgradeable contracts. Users and investors should exercise caution and thoroughly evaluate the risks before engaging with the protocol. Only time will tell whether Blast can live up to its promises and address the concerns surrounding its security model.