php editor Xinyi recently discovered that the Blast mainnet is about to be launched, which has attracted widespread attention. However, the security risks that come with it have also attracted much attention, and it is necessary for us to conduct an in-depth analysis of its technical aspects. At the same time, potential opportunities cannot be ignored. Let us explore the challenges and opportunities in this emerging field.
Recently, Blast has once again become a hot topic in the market. With the end of its "Big Bang" developer competition, its TVL has continued to soar, exceeding 2 billion US dollars in one fell swoop, occupying the top spot on the Layer 2 track. Have a place.
At the same time, Blast also announced that it will launch its mainnet on February 29, causing the public to continue to pay attention to it. After all, the "anticipation of airdrop" has successfully attracted most participants to watch. However, with the development of its ecology, various projects emerge one after another, which also leads to the frequent occurrence of various security risks. Today Beosin will explain to you the security risks and potential opportunities behind Blast’s strong start and the surge in TVL.
Blast is a new project launched by Blur founder Pacman on November 21, 2023, which quickly attracted attention in the encryption community. extensive attention. In just 48 hours of launch, the network has reached a total value locked (TVL) of $570 million and attracted over 50,000 users.
Blast received US$20 million in financing from major backers such as Paradigm and Standard Crypto last year, followed by another US$5 million investment from Japanese cryptocurrency investment company CGV in November last year.
According to DeBank data, as of February 25, the total value of assets in the Blast contract address has exceeded US$2 billion, of which approximately US$1.8 billion of ETH is deposited in the Lido protocol, and more than US$160 million of ETH is deposited in the Lido protocol. DAI is deposited into the MakerDAO protocol. This shows that Blast is extremely active in the market.
DeBank数据
Blast is unique in providing native yields on ETH and stablecoins, a feature not found in other Layer2 solutions. When users transfer ETH to other Layer2, these Layer2 will only lock the ETH into the smart contract and map the corresponding Layer2 ETH; while Blast will deposit the user's ETH into Lido to earn interest, and introduce a new interest-bearing stable currency USDB (the stable currency The currency will be used to purchase U.S. Treasury bonds through MakerDAO (the proceeds will be earned) to the Blast network.
Layer2 launched by the Blur team has unique traffic advantages. Blur has previously issued over $200 million in airdrops to users of its platform, so it has a large community base. At the same time, Blast is attracting users to participate in staking through airdrop rewards and using traffic fission marketing strategies to attract more users to join Blast. This method of organically combining traffic and airdrop incentives helps attract more users to participate and provides a stable user base for the development of Blast.
Blast has been criticized and questioned since its launch. On November 23, 2023, Jarrod Watts, a developer relations engineer at Polygon Labs, tweeted that Blast’s centralization may pose serious security risks to users. At the same time, he also questioned Blast’s classification as a layer 2 (L2) network because Blast does not meet the L2 standard and lacks functions such as transactions, bridging, rollup, or sending transaction data to Ethereum.
How safe is Blast? What security risks exist? This time we used the BeosinVaaS tool to scan the Blast Deposit contract and combined it with the analysis of Beosin security experts to interpret the Blast Deposit contract code.
##
BeosinVaaSThe Blast Deposit contract is an upgradeable contract. Its proxy contract address is 0x5F6AE08B8AeB7078cf2F96AFb089D7c9f51DA47d. Its current logical contract address is 0x0bD88b59D580549285f0A207Db5F06bf24a8e561. The main risk is Click as follows: 1. Centralization riskBlast Deposit The most important enableTransition function of the contract can only be called by the admin address of the contract. In addition, this function takes the mainnetBridge contract address as a parameter, and the mainnetBridge contract can access all pledged ETH and DAI. function enableTransition(address mainnetBridge) external onlyOwner { if (isTransitionEnabled) { revert TransitionIsEnabled(); }_pause(); _setMainnetBridge(mainnetBridge); isTransitionEnabled = true;LIDO.approve(mainnetBridge, type(uint256).max); DAI.approve(mainnetBridge, type(uint256).max);}code:https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06bf24a8e561# code#F1#L230In addition, the Blast Deposit contract can be upgraded at any time through the upgradeTo function. This is mainly used to fix contract vulnerabilities, but there is also the possibility of doing evil. At present, Polygon zkEVM has done a relatively complete job in upgrading the contract. Modifying the contract in non-emergency situations generally requires a 10-day delay, and contract modifications need to be decided by the 13-member Agreement Council.
function upgradeTo(address newImplementation) public virtual onlyProxy { _authorizeUpgrade(newImplementation); _upgradeToAndCallUUPS(newImplementation, new bytes(0), false); }
code:https://etherscan.io/address/ 0x0bd88b59d580549285f0a207db5f06bf24a8e561#code#F2#L78
Looking at the Blast Deposit contract, we can see that the permissions of the contract are controlled by a Gnosis Safe 3/5 multi-signature wallet 0x67CA7Ca75b69711cfd48B44eC3F64 Controlled by E469BaF608C. These 5 signature addresses are:
0x49d495DE356259458120bfd7bCB463CFb6D6c6BA
0xb7c719eB2649c1F03bFab68b0AAa35AD538a7cC8
0x1f97306039530ADB4173C 5 All addresses are new addresses created 3 months ago, and their identities are unknown. Since the entire contract is actually an escrow contract protected by a multi-signature wallet and not a Rollup bridge, Blast has been questioned by many from the community and developers.
Blast acknowledged this set of security risks and said that while immutable smart contracts are considered secure, they may hide undetected vulnerabilities. Upgradeable smart contracts also bring their own risks, such as contract upgrades and easily exploitable time locks. In order to mitigate these risks, Blast will use a variety of hardware wallets for management to avoid centralization risks.
However, Blast has not yet announced whether wallet management can avoid centralization and phishing attacks, and whether there is a complete management process. In the two previous security incidents of Ronin Bridge and Multichain, although the project parties used multi-signature wallets or MPC wallets, the centralization of private key management resulted in user asset losses.
On February 19, the Blast team made an update to the Deposit contract. This update mainly adds the Predeploys contract and introduces the IERC20Permit interface to prepare for the mainnet launch.
Blast Ecological Risk
On February 25, the Beosin KYT anti-money laundering analysis platform detected a suspected RugRull in the Blast Ecological GambleFi project Risk (@riskonblast), resulting in a loss of approximately 500 ETH. At present, its official X account does not exist. Investors such as
MoonCat2878 also shared their personal losses. MoonCat2878 recounts how they initially viewed RiskOnBlast as a promising investment opportunity after seeing reputable projects and partners from within the Blast ecosystem. However, the subsequent public sale turned into an uncapped financing round, which aroused their doubts about Risk as a GameFi project. Beosin Trace monitoring shows that currently most of the stolen funds of the Blast ecological game Risk project have been transferred to different exchanges, and a small part of the stolen funds have crossed the chain to Arbitrum and Cosmos.The above is the detailed content of The Blast mainnet is about to be launched, and its security risks and potential opportunities are analyzed from a technical perspective. For more information, please follow other related articles on the PHP Chinese website!