Data from analytics company DeBank shows that in the four days since its inception, the Web3 protocol Blast network has earned almost $400M in TVL. However, Polygon Labs programmer communications engineer J. Watts asserted in a social media discussion on November 23 that the recent network’s centralization presents serious security vulnerabilities. Using its X account, the Blast group addressed the criticism without specifically mentioning Watts’ message. Blast said in a separate discussion that the network’s structure is just as autonomous as existing layer 2s, such as Polygon, Arbitrum, and Optimism.
Watts Claims That Blast Simply Steals User Money
Marketing materials from Blast Network’s official website state that it is “the sole version of Ethereum L2 that supports stablecoins and ETH native yield.” Additionally, according to the website, stablecoins supplied to Blast are turned into “USDB,” a stablecoin that automatically compounds using MakerDAO’s T-Bill scheme, and Blast enables users to “auto-compound” their balances. Technical documentation outlining the protocol’s operation has not yet been made public by the Blast team, but they are scheduled to be disseminated in conjunction with the airdrop in January. In his initial article, Watts said that it “is merely a 3/5 multisig,” implying that it may be less safe or distributed than users think.
Watts claims that a multi-signature wallet account called Safe (formerly known as Gnosis Safe) may be used to update their contracts. To approve a transaction, the account needs three of the five signatures. However, the contracts may be modified to generate any code an adversary wants if the confidential keys that generate these signatures are compromised.
This implies that if an attacker is successful, they may move all $400M TVL to their account. Furthermore, Watts asserted that although Blast’s development team stated otherwise, Blast “isn’t a layer 2.” Instead, he claimed that Blast does not employ a test net or bridge to carry out these transactions—rather, it only “steals user money” and “stakes visitors’ assets into technologies like LIDO.”