CryptoCurrents: Navigating the Blast in Web3 Waters

In the ever-expanding landscape of decentralized networks, the Blast network, navigating the Web3 protocol, has experienced a meteoric rise, locking in an impressive total value exceeding $400 million in just four days, as reported by DeBank, a reliable blockchain analytics platform. However, amid the whirlwind success, the echoes of concern regarding the network's security risks due to centralization reverberated through the digital realm, articulated by Jarrod Watts, the discerning developer relations engineer at Polygon Labs, in a thought-provoking social media thread on November 23.

Responding to this engaging discourse, the Blast team, orchestrating their defense from the official X (formerly Twitter) account, embarked on a nuanced elucidation in a separate thread. They staunchly asserted that their network stands shoulder to shoulder with other eminent layer 2 solutions, such as Optimism, Arbitrum, and Polygon, in terms of decentralization. Despite marketing proclamations of being the exclusive Ethereum L2 endowed with native yield capabilities for ETH and stablecoins, the official website tantalizingly lacks the essential technical documentation to decode the intricate workings of the protocol. The team, however, tantalizingly hinted at unveiling this trove of information during the eagerly anticipated January airdrop.

On multisig security.

Read this thread to understand the security model of Blast along with other L2s like Arbitrum, Optimism, and Polygon.

— Blast (@Blast_L2) November 24, 2023

Watts' initial post provocatively suggested that Blast might not wield the perceived invincibility in terms of security and decentralization, painting it as a mere "3/5 multisig." In his astute analysis, the compromise of three out of five team members' keys could ostensibly open the floodgates for an assailant to siphon off all crypto assets stashed within Blast's contracts.

Watts, a vigilant observer, also shone a spotlight on potential chinks in Blast's armor, arguing that the network doesn't adhere strictly to the conventional definition of a layer 2 protocol. Instead, he posited, it functions as a conduit, a mere receiver and staker of users' funds into protocols like LIDO, sidestepping the traditional use of a bridge or testnet for transactions. Additionally, he uncovered a disconcerting "enableTransition" function within Blast, insinuating that nefarious actors might exploit this feature to designate any smart contract as the "mainnetBridge," potentially resulting in a complete misappropriation of users' funds without the need for a conventional contract upgrade.

"Blast is just a 3/5 multisig..."

I spent the past few days diving into the source code to see if this statement is actually true.

Here's everything I learned:

— Jarrod Watts (@jarrodWattsDev) November 23, 2023

Despite the storm of potential vulnerabilities, Watts tempered his stance with cautious optimism, suggesting that actual fund losses might not be an imminent threat. However, he sounded a clarion call, advising against deploying funds into Blast in its current state. The Blast team, unwavering in their defense, navigated the nuanced terrain of security complexities. They argued that security exists on a spectrum, emphasizing the merits of an upgradeable contract for its flexibility and bug-fixing capacity. Crucially, they underscored the secure management of Safe account keys—stored in cold storage, independently managed, and geographically separated—as a highly effective protective measure for user funds.

In an industry rife with complexities and ever-evolving challenges, Blast finds itself not alone in weathering scrutiny over the use of upgradeable contracts. Previous instances, such as the Stargate bridge and the Ankr protocol, have grappled with analogous concerns. James Prestwich, the sagacious founder of Summa, had previously raised apprehensions about the vulnerability of the Stargate bridge. Meanwhile, the Ankr protocol weathered an exploit when a former employee illicitly upgraded its smart contract, magically generating a substantial volume of tokens seemingly out of thin air.

You might also like: Bullish Whispers: BTC, Liquidity, and Yellen's Caution