The Web3 protocol Blast network has achieved a total value locked (TVL) of over $400 million just four days after its launch, according to data from blockchain analytics platform DeBank. However, Polygon Labs developer relations engineer Jarrod Watts raised concerns about the network’s security risks due to centralization in a Nov. 23 social media thread.
The Blast team responded to the criticism from its own X (formerly Twitter) account, but without directly addressing Watts’ thread. In their response, Blast claimed that the network is as decentralized as other layer 2s, such as Optimism, Arbitrum, and Polygon.
On multisig security.
Read this thread to understand the security model of Blast along with other L2s like Arbitrum, Optimism, and Polygon.
— Blast (@Blast_L2) November 24, 2023
According to marketing material from its official website, Blast network claims to be “the only Ethereum L2 with native yield for ETH and stablecoins.” The website also states that Blast allows a user’s balance to be “auto-compounded” and that stablecoins sent to it are converted into “USDB,” a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. The technical documents explaining how the protocol works have not been released yet, but it is stated that they will be published when the airdrop occurs in January.
In his original post, Watts claimed that Blast may be less secure or decentralized than users realize, alleging that Blast “is just a 3/5 multisig.” He stated that if an attacker gains control of three out of five team members’ keys, they can steal all crypto deposited into its contracts.
“Blast is just a 3/5 multisig…”
I spent the past few days diving into the source code to see if this statement is actually true.
Here’s everything I learned:
— Jarrod Watts (@jarrodWattsDev) November 23, 2023
Additionally, Watts claimed that Blast “is not a layer 2,” and suggested that it simply “accepts funds from users” and “stakes users’ funds into protocols like LIDO” without a bridge or testnet being used to perform these transactions. He also alleged that it has no withdrawal function, causing users to trust that the developers will implement the withdrawal function in the future.
Despite these attack vectors, Watts stated that he did not believe Blast would lose its funds but warned that “it’s risky to send Blast funds in its current state.”
In their response, the Blast team stated that their protocol is just as safe as other layer-2s, and emphasized the security measures in place to safeguard user funds. They explained their use of upgradeable contracts and the storage of keys for the Safe account in cold storage, managed by an independent party and geographically separated.
The Blast team claims the protocol uses upgradeable contracts for this very reason, and stressed that it is a “highly effective” means of safeguarding user funds. They also noted that other layer 2s such as Arbitrum, Optimism, and Polygon also use this method.
Blast is not the only protocol that has been criticized for having upgradeable contracts. Other protocols, such as Stargate and Ankr, have also faced similar issues with their smart contracts.