According to report According to research by cybersecurity firm Resonance Security, the Ethereum layer 2 Blast solution has some security concerns.
Blast quickly gained traction in the cryptocurrency industry. The project promises to provide points, airdrops, jackpots, original staking profits and gas revenue sharing. But Resonance said Blast should improve its security measures.
From announcement to launch, Blast accepted ETH deposits via a one-way bridge. This allowed users to accumulate original returns and Blast Points, promising early adopters the opportunity to participate in future airdrops.
Source: L2Beat
Despite criticism from major financial backers like Paradigm, this strategy has boosted Blast’s popularity. It raised $600 million in its first week, reaching over $1 billion by January 2024. As of now, Blast’s total value locked (TVL) is $3.16 billion, making it the fourth largest layer 2 EVM.
Users can deposit ETH into Blast in exchange for a liquid layer 2 token. The deposited ETH will be staked into Lido’s staking pools via the Blast smart contract, earning a 4% yield.
Additionally, users can tether stablecoins to Blast to obtain USDB, Blast’s official stablecoin, which generates yield through MakerDAO’s T-bill protocol at a 5% yield. USDB can be redeemed for DAI when tethered back to Ethereum.
Blast Gold is awarded to decentralized applications (dApps) built on the chain, rewarding them for using Blast’s native features and is distributed manually every 2-3 weeks or during jackpot events.
Security concerns
According to Resonance, Blast’s reliance on third-party DeFi protocols like Lido and MakerDAO poses risks. If any yield pools or protocols on these platforms are compromised, Blast users’ associated tokens will also be affected. Relying on the security of Lido and MakerDAO to protect user funds could lead to financial problems for Blast users.
Blast Smart Contracts | Source: L2Beat
Previously, HTX Square had shown that Blast’s LaunchBridge contract (0x5f…a47d) is not a rollup bridge but rather a “custody contract protected by a 3/5 multisig address.” Jarrod Watts of Polygon Labs also raised concerns about these multisig addresses, saying they were newly created and had unknown owners.
CryptoHopper questioned Blast’s layer 2 claim, stating:
“Blast lacks the necessary valid proof for layer 2 state root and has no anti-fraud mechanism.”
Resonance argues that Blast’s Risk Summary further corroborates these concerns.
Source: L2Beat
Resonance also reviewed the security protocols of Lido and MakerDAO. MakerDAO has not announced security audit for their smart contracts for three years, with some audits dating back five years.
This is worrying because smart contracts can be vulnerable to newly discovered vulnerabilities and need to be periodically audited. Resonance said a quick query of smart contract CVEs in the NIST National Vulnerability Database showed 584 records published between 2018 and 2024. While the contracts were not susceptible to all these CVEs, but they are vulnerable to some of them.
Maintaining smart contract security requires a multifaceted approach, including pre-deployment and periodic security audits as well as bug bounty programs.
“Regular communication and joint security testing can also help validate these standards and improve them over time.”
Smaller projects need to be meticulous when selecting third-party vendors. Proactively considering third-party options to ensure strict security standards can help projects avoid many headaches in the long run. If third-party options do not meet the project’s required standards, developing an in-house solution may be a safer alternative as long as the project has the resources to do so.
This allows for complete control over security. Forming partnerships or alliances with other projects can help collectively support better security measures with larger third-party vendors. Resonance says a united front will have more impact than individual efforts.
Minh Anh
According to Cryptopolitan
