The Blast ecosystem is developing rapidly, but security risks still need to be vigilant.

Recently, Blast has attracted significant market attention as an emerging public chain project. With the conclusion of its "Big Bang" developer competition, Blast's locked amount (TVL) has shown explosive growth, exceeding the 2 billion dollar mark and securing an important position in the Layer 2 track.

The Blast team announced that the mainnet will be launched on February 29, which has further sparked discussions in the market. Many participants are looking forward to potential airdrop opportunities. However, with the rapid development of the ecosystem and the emergence of various projects, potential security risks have also arisen. This article will analyze the security risks and development opportunities of Blast from a technical perspective.

Blast Development History

Blast officially launched on November 21, 2023, quickly attracting widespread attention from the crypto community. Within just 48 hours of its launch, its locked-in volume surpassed $570 million, drawing in over 50,000 users to participate.

Last year, Blast received support through multiple rounds of financing. This included a $20 million investment from a well-known investment firm, as well as a $5 million investment from a Japanese cryptocurrency investment company.

As of February 25, a certain data platform shows that the total value of assets currently held by the Blast contract address has exceeded 2 billion dollars. Among them, approximately 1.8 billion dollars of ETH has been deposited into a certain staking protocol, and over 160 million dollars of DAI has been deposited into another lending protocol. This data fully reflects the popularity of Blast in the market.

Unique Advantages of Blast

The standout feature of Blast is its ability to provide native yield for ETH and stablecoins, which is not available in other Layer 2 solutions. When users transfer ETH to other Layer 2s, they typically only lock their ETH in a smart contract and map the corresponding Layer 2 ETH. In contrast, Blast deposits users' ETH into a staking protocol to earn interest, while also introducing a new interest-bearing stablecoin USDB (which generates yield through the purchase of U.S. Treasury bonds) to the Blast network.

In addition, as a Layer 2 project launched by the team of a well-known NFT trading platform, Blast naturally possesses a traffic advantage. This team has previously distributed over $200 million in airdrops to platform users, accumulating a broad community base. By combining the current airdrop incentive program of Blast with marketing strategies that attract users to participate in staking through traffic fission.

Security Risks Faced by Blast

Despite the rapid development of Blast, it has also faced numerous doubts and criticisms since its launch. On November 23, 2023, a developer relations engineer from a well-known public blockchain pointed out that the level of centralization of Blast could pose serious security risks to users. At the same time, he questioned the legitimacy of Blast classifying itself as a Layer 2 (L2) network, arguing that it does not meet the standard definition of L2 and lacks key functions such as transactions, cross-chain bridges, Rollup, or sending transaction data to Ethereum.

To gain a deeper understanding of the security of Blast, we conducted a detailed analysis of its Deposit contract code. The main findings highlighted the following risk points:

1. Centralization Risk

The most critical enableTransition function in the Blast Deposit contract is only callable by the contract administrator. This function takes the mainnetBridge contract address as a parameter, and the mainnetBridge contract can access all staked ETH and DAI.

In addition, the Blast Deposit contract can be upgraded at any time through the upgradeTo function. While this is primarily used to fix potential vulnerabilities, there is also the possibility of abuse. In contrast, a well-known Layer 2 project takes a more cautious approach to contract upgrades, requiring a 10-day delay for modifications under non-emergency circumstances, and decisions must be made by a protocol council composed of multiple members.

2. Multi-signature Dispute

Upon investigation, the permissions of the Blast Deposit contract are controlled by a 3/5 multi-signature wallet. These 5 signature addresses are all newly created accounts from 3 months ago, and their identity information has not been disclosed. Since the entire contract is essentially a custodial contract protected by a multi-signature wallet, rather than a standard Rollup cross-chain bridge, it has raised concerns among the community and developers.

The Blast team acknowledged the existence of these security risks and stated that while immutable smart contracts are generally considered safer, they may conceal undiscovered vulnerabilities. Upgradable smart contracts also bring their own risks, such as contract upgrades and potential exploitative time locks. To mitigate these risks, Blast indicated that it will use multiple hardware wallets for management to avoid centralization risks.

However, the Blast team has not provided a clear answer to whether wallet management can effectively avoid the risks of centralization and phishing attacks, and whether there are sound management processes in place. It is worth noting that there have been multiple security incidents in the past where users lost assets due to improper private key management, even when the project used multi-signature wallets or MPC wallet technology.

On February 19, the Blast team carried out an update to the Deposit contract, primarily adding the Predeploys contract and introducing the IERC20Permit interface in preparation for the mainnet launch.

Security Challenges Facing the Blast Ecosystem

On February 25, an anti-money laundering analysis platform detected a suspected RugPull incident in a GambleFi project within the Blast ecosystem, resulting in a loss of approximately 500 ETH. The project's official social media account is currently inaccessible.

Multiple investors openly shared their experiences of losses. They stated that they initially regarded the project as a promising investment opportunity, mainly due to endorsements from reputable projects and partners within the Blast ecosystem. However, the subsequent public fundraising phase turned into an unlimited round of financing, which raised their doubts about the project.

A certain on-chain analysis tool shows that most of the stolen funds from the GambleFi project have been transferred to different trading platforms, and a small amount of funds has been cross-chain transferred to other public chains.

In summary, although Blast shows strong development momentum, the security challenges it faces cannot be ignored. Investors need to remain vigilant when participating in related projects and comprehensively assess potential risks.