Blast, an Ethereum-based DeFi protocol, recently responded to growing security concerns in the cryptocurrency world after locking approximately $350 million in assets such as ETH, USDT, and DAI. The platform, known for allowing users to stake their assets in Lido to earn yields, experienced significant growth, but this growth was overshadowed by urgent security issues due to the need for essential features such as test networks, transactions, bridging, aggregation, or direct data transfer to Ethereum.
Unlimited Withdrawal Risk
Critics, including Jarod Watts from Polygon Developer Relations, have pointed out vulnerabilities in Blast’s code. Specifically, the protocol allowing unlimited withdrawals for the total deposited funds raises concerns about potential mismanagement or misuse of locked assets. Watts emphasized that investors rely on the honesty of a small group to protect their funds without standard Layer 2 features.
This situation highlights broader transparency issues and the need for regulation in the evolving DeFi sector. The “enableTransaction” feature in Blast’s code allows significant withdrawals without withdrawal limits by any Externally Owned Account (EOA) wallet. This feature puts user assets at risk and underscores the need for increased supervision in the cryptocurrency world, leading to regulatory scrutiny.
In response to these concerns, Blast clarified its security model through its official X account (formerly known as Twitter). The protocol stated that security encompasses smart contract, browser, and physical security dimensions. Blast argued that immutable smart contracts, typically considered more secure, can pose significant risks, especially in complex agreements, and emphasized the importance of upgradeable smart contracts that offer adaptability against potential security vulnerabilities and hack attacks.
Multisig Security and Independent Governance
Blast also highlighted the use of multisig (multisignature) security, which is employed by other Layer 2 solutions like Arbitrum, Optimism, and Polygon. The protocol claims that each signing key in multisig setups is independently secure, stored in cold wallets, managed by independent parties, and geographically distributed. This approach aims to enhance the protocol’s resistance against various security threats.
Blast plans to transfer one of its multisig wallets to a different hardware wallet provider within a week to enhance security. This move aims to prevent reliance on a single type of hardware wallet and reduce the risk of funds being compromised in case of a hardware-specific vulnerability.
While Blast’s responses to the raised allegations have provided some clarity, the cryptocurrency world continues to approach the protocol with skepticism. Critics compare the trust in multisig setups without time locks or full transparency unfavorably to traditional financial systems.