jakiro
Source: Beosin
Recently, BLAST has once again become the market’s “Xiangxiang”. With the end of its “Big Bang” developer competition, its TVL has continued to soar, exceeding 2 billion US dollars in one fell swoop, occupying a place on the Layer2 track.
At the same time, BLAST also announced that it will launch its main network on February 29, which has led the public to continue to pay attention to it. After all, the “airdrop expectation” has successfully attracted most of the participants to watch.However, with its ecological development, various projects have emerged endlessly, which also leads to frequent security risks.Today, Beosin will interpret the BLAST of the strong start for everyone, the security risks and potential opportunities behind TVL soaring.
BLAST development process
BLAST was launched by Blur founder Pacman on November 21, 2023, and soon received widespread attention in the encrypted community.Within 48 hours after launch, the total locking value (TVL) of the network reached $ 570 million and attracted more than 50,000 users.
Blast received a $ 20 million financing provided by major supporters such as Paradigm and Standard Crypto last year. Immediately after November last year, BLAST once again received a US $ 5 million investment from Japan cryptocurrency investment company CGV.
February 25 news, Debank data shows,BLAST contract address currently holds the total asset value of more than $ 2 billion,Among them, the $ 1.8 billion ETH is stored in the Lido agreement, and more than 160 million US dollars DAI is stored in the MakerDao agreement, which shows its hotness in the market.
DEBANK Data
Why is Blast so hot?
The uniqueness of BLAST is to provide the native return of ETH and stablecoins, which are the characteristics that other Layer2 solutions do not have.When users transfer ETH to other Layer2, these Layer2 will only lock ETH into smart contracts and map the corresponding Layer2 ETH; BLAST will deposit the user’s ETH into LIDO and introduce a new stable and stable currency USDB (this stable stability (this stable stability (this stable stabilityThe currency will purchase US Treasury bonds through MakerDao) to the BLAST network.
In addition, Layer2, launched by the Blur team, has its own traffic.Earlier, BLUR issued more than 200 million US dollars of airdrops to users of their platforms. It has a wide range of community foundations. In addition, BLAST is currently conducting air investment incentives to attract users to participate in BLAST pledges through the marketing method of traffic fission.
BLAST security risk
Blast has been criticized and questioned since its launch.On November 23, 2023, Jarrod Watts, a developer relationship engineer of Polygon Labs, said that the centralization of Blast may bring serious security risks to users.At the same time, he also questioned BLAST to classify it as the second layer (L2) network, because BLAST does not meet the L2 standard, and lacks trading, bridge, rollup or sending transaction data to Ethereum.
What is the security of Blast?What are the safety risks?This time we scan the Blast DEPOSIT contract through the Beosin Vaas tool, combined with the analysis of Beosin security experts, to interpret the Blast DEPOSIT contract code.
Beosin Vaas
The Blast DEPOSIT contract is an upgraded contract. Its proxy contract address is 0x5F6AE08B8AEB7078CF2F96AFB089D7C9F51DA47D. The current logical contract address is 0x0BD88B59D580549285F06BF24A8E561, the main wind The risk point is as follows:
1. Central risk
The most important Enabletransition function of the Blast DEPOSIT contract, only the Admin address of the contract can be called.In addition, this function uses the Mainnetbridge contract address as the parameter, while the Mainnetbridge contract can access all pledged ETH and DAI.
code: https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06a8e561#F1#L230
In addition, the Blast DEPOSIT contract can be upgraded at any time through the Upgradeto function.This is mainly used to repair the loopholes of the contract, but there is also the possibility of evil.At present, Polygon ZKEVM is relatively complete in upgrading the contract. Under urgent cases, it takes a 10 -day delay to modify the contract, and the modification of the contract that needs to be composed of 13 people is determined.
code: https://etherscan.io/address/0x0bd88b59d580549285f0a207db5f06a8e561#F2#L78
2. Sign more disputes
Check the Blast DEPOSIT contract, you can know,The contract’s permissions are controlled by a GNOSIS SAFE 3/5 of the 3/5 wallet 0x67CA75CA75B69711CFD48B44EC3F64E469BAF608C.These 5 signature addresses are:
0x49d495de356259458120BFD7BCB463CFB6D6C6ba
0xb7c719EB2649C1F03BFAB68B0AAA35AD538A7CC8
0x1F97306039530ADB4173C3786E86FAB5E6B90F41
0x6a356c0eaa560F00127ADF5108FFAF503B9F1E11
0x46e31F27DF5047D7FAD9B1E8DFFEC635CF6EFACF
These 5 addresses are new addresses created 3 months ago, and their identity is unknown.Since the entire contract is actually a custody contract that is protected by multiple wallets, not the Rollup Bridge, Blast has been questioned by many communities and developers.
Blast acknowledged this series of security risks and stated that although the unsatisfactory smart contracts were considered secure, they may hide unlimited vulnerabilities.And upgraded smart contracts also bring their own risks, such as contract upgrades and time locks that are easy to be used.To reduce these risks, BLAST uses a variety of hardware wallets to manage to avoid centralized risks.
However, whether the management of wallets can avoid centralization and fishing attacks, and whether there is a complete management process, this is not announced yet.Earlier, in the two security incidents of Ronin Bridge and Multichain, although the project party used more signature wallets or MPC wallets, the user’s asset loss caused the user’s asset loss due to the centralization of private key management.
On February 19, the Blast team updated the DEPOSIT contract.This update mainly added the Predeploys contract and introduced the IERC20PERMIT interface to prepare for the main online online.
Blast ecological risk
On February 25, Beosin Kyt anti -money laundering analysis platform monitoredThe Blast Ecological GambleFi project Risk (@riskonblast) suspected that Rugrull was suspected to have, and the amount of loss was about 500 ETH.At present, its official X account has not existed.
Investors such as Mooncat2878 also shared their personal losses.Mooncat2878 tells that after seeing the reputable projects and partners from the Blast ecosystem, they initially regarded RiskonBlast as a promising investment opportunity.However, the subsequent public offering became a round of unlimited financing, which aroused their doubts about the Gamefi project of Risk.
Beosin Trace Monitoring Show,At present, most of the stolen funds of the Blast Ecological Game RISK project have been transferred to different exchanges, and a small part of the stolen funds have been across the chain to Arbitrum and COSMOS.
