Blast Network Gains Over $400 Million TVL in Four Days, Faces Security Concerns
The Web3 protocol Blast Network has achieved a total value locked (TVL) of over $400 million just four days after its launch, according to data from blockchain analytics platform DeBank. However, there are concerns about the network’s security and centralization. Polygon Labs developer relations engineer Jarrod Watts raised these concerns in a social media thread, stating that Blast poses significant security risks due to its centralization.
In response to Watts’ criticism, the Blast team claimed in their own thread that the network is as decentralized as other layer-2 solutions, including Optimism, Arbitrum, and Polygon. They also highlighted the security model of Blast, inviting users to read a thread that explains the security measures taken by Blast and other layer-2 solutions.
Blast Network promotes itself as the only Ethereum layer-2 solution with native yield for ETH and stablecoins. The platform allows users’ balances to be auto-compounded, and stablecoins sent to it are converted into USDB, a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. While technical documents explaining the protocol have not been released yet, the Blast team has stated that they will be published when the airdrop occurs in January.
Since its release on November 20, Blast Network has seen its TVL grow from zero to over $400 million. However, Watts claimed that Blast may be less secure and decentralized than users realize. He argued that Blast is just a 3/5 multisig, meaning an attacker who gains control of three out of five team members’ keys can steal all the crypto deposited into its contracts.
According to Watts, Blast’s contracts can be upgraded through a Safe multi-signature wallet account. If the private keys producing the required signatures become compromised, the contracts can be upgraded to execute any code the attacker wants. This means an attacker could transfer the entire $400 million TVL to their own account. Additionally, Watts argued that Blast is not a layer-2 solution but rather accepts funds from users and stakes them into protocols like LIDO. He claimed that Blast lacks a withdrawal function, and users must trust that the developers will implement it in the future.
Watts also pointed out that Blast contains an “enableTransition” function that can set any smart contract as the “mainnetBridge,” allowing an attacker to steal users’ funds without upgrading the contract. Despite these vulnerabilities, Watts does not believe that Blast will lose its funds but still considers it risky to send funds to Blast in its current state.
In response, the Blast team argued that their protocol is just as safe as other layer-2 solutions. They explained that while non-upgradeable contracts may seem more secure, they can still contain bugs that render them unusable. Blast uses upgradeable contracts and stores the keys for the Safe account in cold storage, managed by an independent party and geographically separated. The team believes this is a highly effective means of safeguarding user funds, similar to how other layer-2 solutions operate.
Blast Network is not the only protocol that has faced criticism for having upgradeable contracts. Other projects, such as Stargate Bridge and Ankr Protocol, have also been scrutinized for similar reasons. It remains to be seen how Blast Network will address these security concerns and ensure the safety of users’ funds.