The Blast mainnet is about to go online, analyzing its security risks and potential opportunities

Source: Beosin

Recently, Blast has once again become a hot topic in the market. With the end of its "Big Bang" developer competition, its TVL has continued to soar, exceeding 2 billion in one fell swoop. The U.S. dollar occupies a place on the Layer 2 track.

At the same time, Blast also announced that it will launch its mainnet on February 29, causing the public to continue to pay attention to it. After all, the "anticipation of airdrop" has successfully attracted most participants to watch. However, with the development of its ecosystem, various projects have emerged one after another, which has also led to the frequent occurrence of various security risks. Today Beosin will explain to you the security risks and potential opportunities behind Blast’s strong start and the surge in TVL.

Blast development history

Blast was launched by Blur founder Pacman on November 21, 2023, and soon received widespread attention in the encryption community. Within 48 hours of launch, the network reached $570 million in total value locked (TVL) and attracted over 50,000 users.

Blast received US$20 million in financing last year from major backers such as Paradigm and Standard Crypto. Then in November last year, Blast received another US$5 million investment from CGV, a Japanese cryptocurrency investment company.

According to news on February 25, DeBank data showed that the total value of assets currently held by the Blast contract address exceeds US$2 billion, of which US$1.8 billion worth of ETH is deposited in Lido Agreement, more than 160 million US dollars of DAI have been deposited into the MakerDAO agreement, which shows its popularity in the market.

DeBank data

Why is Blast so popular?

Blast is unique in providing native yields on ETH and stablecoins, a feature not found in other Layer2 solutions. When users transfer ETH to other Layer2, these Layer2 will only lock the ETH into the smart contract and map the corresponding Layer2 ETH; while Blast will deposit the user's ETH into Lido to earn interest, and introduce a new interest-bearing stable currency USDB (the stable currency The currency will be used to purchase U.S. Treasury bonds through MakerDAO (the proceeds will be earned) to the Blast network.

In addition, Layer2, launched by the Blur team, has its own traffic. Previously, Blur issued more than 200 million US dollars in airdrops to users on its platform. It already has a broad community base. In addition, Blast currently conducts airdrop incentives to attract users to participate in Blast staking through traffic fission marketing.

Blast Security Risks

Blast has been criticized and questioned since its launch. On November 23, 2023, Jarrod Watts, a developer relations engineer at Polygon Labs, tweeted that Blast’s centralization may pose serious security risks to users. At the same time, he also questioned Blast’s classification as a layer 2 (L2) network because Blast does not meet the L2 standard and lacks functions such as transactions, bridging, rollup, or sending transaction data to Ethereum.

How safe is Blast? What security risks exist? This time we scanned the Blast Deposit contract through the Beosin VaaS tool, and combined the analysis of Beosin security experts to interpret the Blast Deposit contract code.

Beosin VaaS

Blast Deposit The contract is an upgradeable contract, and its agency contract address is 0x5F6AE08B8AeB7078cf2F96AFb089D7c9f51DA47d. Its current logical contract address is 0x0bD88b59D580549285f0A207Db5F06bf24a8e561. The main risk points are as follows:

1.  Center Risk reduction

The most important enableTransition function of the Blast Deposit contract can only be called by the admin address of the contract. In addition, this function takes the mainnetBridge contract address as a parameter, and the mainnetBridge contract can access all pledged ETH and DAI.

< /p>

code:https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06bf24a8e561#code#F1#L230

In addition, the Blast Deposit contract can be upgraded at any time through the upgradeTo function. This is mainly used to fix contract vulnerabilities, but there is also the possibility of doing evil. At present, Polygon zkEVM has done a relatively complete job in upgrading the contract. Modifying the contract in non-emergency situations generally requires a 10-day delay, and contract modifications need to be decided by the 13-member Agreement Council.

code:https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06bf24a8e561#code#F2# L78

2.  Multi-signature dispute

Looking at the Blast Deposit contract, we can see thatits contract The permissions are controlled by a Gnosis Safe 3/5 multi-signature wallet 0x67CA7Ca75b69711cfd48B44eC3F64E469BaF608C. These five signature addresses are:

0x49d495DE356259458120bfd7bCB463CFb6D6c6BA

0xb7c719eB2649c1F03bFab68b0AAa35AD538a7cC8

0x1f97306039530ADB41 73C3786e86fab5e6b90F41

0x6a356C0EAA560f00127Adf5108FfAf503b9f1e11

0x46e31F27Df5047D7Fad9b1E8DFFec635cF6efAcF

These five addresses are all new addresses created 3 months ago, and their identities are unknown. Since the entire contract is actually an escrow contract protected by a multi-signature wallet and not a Rollup bridge, Blast has been questioned by many from the community and developers.

Blast acknowledged this set of security risks and said that while immutable smart contracts are considered secure, they may hide undetected vulnerabilities. Upgradeable smart contracts also bring their own risks, such as contract upgrades and easily exploitable time locks. In order to mitigate these risks, Blast will use a variety of hardware wallets for management to avoid centralization risks.

However, Blast has not yet announced whether wallet management can avoid centralization and phishing attacks, and whether there is a complete management process. In the two previous security incidents of Ronin Bridge and Multichain, although the project parties used multi-signature wallets or MPC wallets, the centralization of private key management resulted in user asset losses.

On February 19, the Blast team made an update to the Deposit contract. This update mainly adds the Predeploys contract and introduces the IERC20Permit interface to prepare for the mainnet launch.

Blast ecological risk

On February 25, the Beosin KYT anti-money laundering analysis platform detected that theBlast ecological GambleFi project Risk (@riskonblast) was suspected A RugRull occurred, and the amount of loss was approximately 500 ETH. At present, its official X account does not exist.

MoonCat2878 etc. Investors also shared their personal losses. MoonCat2878 recounts how they initially viewed RiskOnBlast as a promising investment opportunity after seeing reputable projects and partners from within the Blast ecosystem. However, the subsequent public sale turned into an uncapped financing round, which aroused their doubts about Risk as a GameFi project.  

Beosin Trace monitoring display , At present, most of the stolen funds of the Blast ecological game Risk project have been transferred to different exchanges, and a small part of the stolen funds have been cross-chained to Arbitrum and Cosmos.