Web3 protocol Blast network has gained over $400 million in total value locked (TVL) in the four days since it was launched, according to data from blockchain analytics platform DeBank. But in a Nov. 23 social media thread, Polygon Labs developer relations engineer Jarrod Watts claimed that the new network poses significant security risks due to centralization.
The Blast team responded to the criticism from its own X (formerly Twitter) account, but without directly referring to Watts’ thread. In its own thread, Blast claimed that the network is as decentralized as other layer-2s, including Optimism, Arbitrum, and Polygon.
On multisig security.
Read this thread to understand the security model of Blast along with other L2s like Arbitrum, Optimism, and Polygon.
— Blast (@Blast_L2) November 24, 2023
Blast network claims to be “the only Ethereum L2 with native yield for ETH and stablecoins,” according to marketing material from its official website. The website also states that Blast allows a user’s balance to be “auto-compounded” and that stablecoins sent to it are converted into “USDB,” a stablecoin that auto-compounds through MakerDAO’s T-Bill protocol. The Blast team has not released technical documents explaining how the protocol works, but say they will be published when the airdrop occurs in January.
Blast was released on Nov. 20. In the intervening four days, the protocol’s TVL has gone from zero to over $400 million.
Watts’ original post says Blast may be less secure or decentralized than users realize, claiming that Blast “is just a 3/5 multisig.” If an attacker gets control of three out of five team members’ keys, they can steal all of the crypto deposited into its contracts, he alleged.
“Blast is just a 3/5 multisig…”
I spent the past few days diving into the source code to see if this statement is actually true.
Here’s everything I learned:
— Jarrod Watts (@jarrodWattsDev) November 23, 2023
According to Watts, the Blast contracts can be upgraded via a Safe (formerly Gnosis Safe) multi-signature wallet account. The account requires three out of five signatures to authorize any transaction. But if the private keys that produce these signatures become compromised, the contracts can be upgraded to produce any code the attacker wishes. This means an attacker who pulls this off could transfer the entire $400 million TVL to their own account.
In addition, Watts claimed that Blast “is not a layer 2,” despite its development…