Recently, Blast has once again become a "hot cake" in the market. With the end of its "Big Bang" developer competition, its TVL has continued to soar, surpassing $2 billion, and has secured a place in the Layer2 track.
At the same time, Blast also announced that its mainnet will go live on February 29th, leading to continued attention from the public. After all, the "airdrop expectation" has successfully attracted the attention of most participants. However, as its ecosystem develops, various projects emerge one after another, leading to frequent security risks. Today, Beosin will interpret the strong start of Blast, the security risks, and potential opportunities behind the soaring TVL.
Blast Development History
Blast was launched by Blur founder Pacman on November 21, 2023, and quickly gained widespread attention in the crypto community. Within 48 hours of its launch, the network's Total Value Locked (TVL) reached $570 million and attracted over 50,000 users.
Last year, Blast received $20 million in funding from major supporters such as Paradigm and Standard Crypto. Then in November of last year, Blast received an additional $5 million investment from the Japanese cryptocurrency investment company CGV.
On February 25th, DeBank data showed that the Blast contract address currently holds assets worth over $20 billion, with $18 billion worth of ETH deposited in the Lido protocol and over $160 million worth of DAI deposited in the MakerDAO protocol, demonstrating its popularity in the market.
DeBank data
Why is Blast so popular?
The uniqueness of Blast lies in its native yield for ETH and stablecoins, a feature that other Layer2 solutions do not possess. When users transfer ETH to other Layer2 solutions, these Layer2 solutions only lock the ETH in smart contracts and map the corresponding Layer2 ETH. Blast, on the other hand, allows users' ETH to be deposited in Lido for interest, and introduces a new interest-bearing stablecoin USDB (which will earn interest by purchasing US Treasury bonds through MakerDAO) to the Blast network.
In addition, as a Layer2 solution launched by the Blur team, it inherently brings traffic. Previously, Blur distributed over $200 million in airdrops to users on its platform, has a wide community base, and with the current Blast airdrop incentives, it attracts users to participate in Blast staking through viral marketing.
Blast Security Risks
Blast has faced criticism and questioning since its launch. On November 23, 2023, Jarrod Watts, a developer relations engineer at Polygon Labs, tweeted that Blast's centralization could pose serious security risks to users. He also questioned Blast's classification as a Layer 2 (L2) network, as Blast does not meet L2 standards, lacking functions such as transactions, bridging, rollups, or sending transaction data to Ethereum.
What is the security of Blast? What are the security risks? This time, we will use the BeosinVaaS tool to scan the Blast Deposit contract and, combined with the analysis of Beosin security experts, interpret the Blast Deposit contract code.
BeosinVaaS
The Blast Deposit contract is an upgradable contract, with the proxy contract address being 0x5F6AE08B8AeB7078cf2F96AFb089D7c9f51DA47d. Currently, its logic contract address is 0x0bD88b59D580549285f0A207Db5F06bf24a8e561, and the main risk points are as follows:
1. Centralization Risk
The most important enableTransition function of the Blast Deposit contract can only be called by the contract's admin address. In addition, this function takes the mainnetBridge contract address as a parameter, and the mainnetBridge contract can access all staked ETH and DAI.
function enableTransition(address mainnetBridge) external onlyOwner { if (isTransitionEnabled) { revert TransitionIsEnabled(); }
_pause(); _setMainnetBridge(mainnetBridge); isTransitionEnabled = true;
LIDO.approve(mainnetBridge, type(uint256).max); DAI.approve(mainnetBridge, type(uint256).max);}
code:https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06bf24a8e561#code#F1#L230
In addition, the Blast Deposit contract can be upgraded at any time through the upgradeTo function. This is mainly used to fix contract vulnerabilities, but it also has the potential for abuse. Currently, Polygon zkEVM has done relatively well in upgrading contracts. Modifying contracts generally requires a 10-day delay in non-emergency situations, and contract modifications need to be decided by a 13-member protocol council.
function upgradeTo(address newImplementation) public virtual onlyProxy { _authorizeUpgrade(newImplementation); _upgradeToAndCallUUPS(newImplementation, new bytes(0), false); }
code:https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06bf24a8e561#code#F2#L78
2. Multi-Signature Dispute
By examining the Blast Deposit contract, it is known that the contract's permissions are controlled by a Gnosis Safe 3/5 multi-signature wallet 0x67CA7Ca75b69711cfd48B44eC3F64E469BaF608C. The 5 signature addresses are:
0x49d495DE356259458120bfd7bCB463CFb6D6c6BA
0xb7c719eB2649c1F03bFab68b0AAa35AD538a7cC8
0x1f97306039530ADB4173C3786e86fab5e6b90F41
0x6a356C0EAA560f00127Adf5108FfAf503b9f1e11
0x46e31F27Df5047D7Fad9b1E8DFFec635cF6efAcF
All five addresses were created three months ago and their identities are unknown. Because the entire contract is actually protected by a custodial contract through a multi-signature wallet, rather than a Rollup bridge, Blast has faced many doubts from the community and developers.
Blast acknowledges these security risks and states that while immutable smart contracts are considered secure, they may conceal undetected vulnerabilities. Upgradable smart contracts also bring their own risks, such as contract upgrades and easily exploitable time locks. To mitigate these risks, Blast will use multiple hardware wallets for management to avoid centralization risks.
However, whether wallet management can avoid centralization and phishing attacks, and whether there is a comprehensive management process, is something that Blast has not yet disclosed. In previous security incidents such as the Ronin Bridge and Multichain, although the projects used multi-signature wallets or MPC wallets, asset losses occurred due to centralized private key management.
On February 19th, the Blast team updated the Deposit contract. This update mainly added the Predeploys contract and introduced the IERC20Permit interface in preparation for the mainnet launch.
Blast Ecosystem Risks
On February 25th, the Beosin KYT anti-money laundering analysis platform detected that the Blast ecosystem's GambleFi project Risk (@riskonblast) appeared to have experienced a Rug Pull, with a loss of approximately 500 ETH. Currently, its official X account is no longer active.
Investors such as MoonCat2878 also shared their personal losses. MoonCat2878 described how, after seeing reputable projects and partners within the Blast ecosystem, they initially viewed RiskOnBlast as a promising investment opportunity. However, the subsequent public sale turned into an unlimited fundraising round, leading to their suspicions about the GameFi project Risk.
Beosin Trace monitoring shows that most of the stolen funds from the Blast ecosystem's game Risk project have been transferred to different exchanges, and a small portion of the stolen funds have been cross-chain transferred to Arbitrum and Cosmos.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
