The explosion network has reached $400M TVL, the developers say that it is too centralized
The Web3 protocol explosion network has achieved more than $400 million in total value locked (TVL) in the four days since its launch, according to data from blockchain analytics platform DeBank. But in a Nov. 23 social media thread, Polygon Labs developer communications engineer Jarrod Watts said the new network poses significant security risks because of its centralization.
The blast team responded to the criticism from X's own (formerly Twitter) account, but without directly referencing the Watts thread. In its own thread, Blast says its network is decentralized like other layer-2s, including Hope, Arbitrum and Polygon.
On multi-sig security.
Read this thread to understand the explosion security model along with other L2s like Arbitrum, Optimism and Polygon.
— Blast (@Blast_L2) November 24, 2023
According to marketing material on its official website, the Explosion Network claims to be “the only Ethereum L2 with a native product for ETH and stablecoins.” The website also states that Blast allows user balances to be “auto-integrated” and that stablecoins sent to it are converted to “USDB”. The explosion team has not released technical documents detailing how the protocol works, but said they will be published when the airdrop takes place in January.
The blast was released on November 20. The protocol's TVL went from zero to $400 million in four days.
Watts' original post claims that Blast is “3/5 multi-sig” and may be less secure or decentralized than users think. If an attacker takes control of three of the five team members, he can steal all the crypto stored in the contract, he said.
“The explosion is a 3/5 multi-sig…”
I've spent the last few days digging into the source code to see if this statement is true.
Here's everything I learned:
— Jarrod Watts (@jarrodWattsDev) November 23, 2023
According to Watts, Blast contracts can be modified through a secure (formerly Gnosis Safe) multi-signature wallet account. The account requires three out of five signatures to authorize any transaction. But if the private keys that generate these signatures are compromised, the contracts can be modified to extract the code the attacker needs. This means that an attacker who withdraws this can transfer the entire $400 million TVL to their own account.
Watts also says that the explosion is “not layer 2,” despite the development team saying so. Instead, the explosion simply “[a]receives money from users” and “[s]It takes users' money into protocols like LIDO. In addition, it does not have a lifting function. In order to be able to opt out in the future, users need to trust that the developers will implement the opt-out functionality at some point in the future, Watts said.
Watts also said Blast has an “enableTransition” function that can be used to set up any smart contract as a “mainnetBridge”, meaning an attacker can steal a user's entire funds without having to modify the contract.
Despite these potential partners, Watts says he doesn't believe Blast will lose his money. “Personally, if I had to guess, I don't think the money will be stolen,” he said, but cautioned, “I think it's dangerous to personally send explosive money in the current situation.”
In its own X tag thread, the Explosive team stated that the protocol is just as secure as other Layer-2s. “Safety is on a spectrum (nothing is 100% safe),” the team said, “and is related to many dimensions.” A non-amendable contract may seem more reliable, but this view can be wrong. If the contract can't be modified but contains errors, the thread states, “they're dead in the water.”
Related: Uniswap DAO debate shows devs are still struggling to maintain cross-chain bridges.
The explosion team says the protocol uses terms that can be modified for this reason. However, Safe's account keys are “in cold storage, managed by an independent entity and geographically distributed.” In the group's view, this is the “most effective” method to protect user funds, which is why L2s such as “Arbitrum, Optimism, Polygon” use this method.
Blast is not the only protocol that has been criticized for having modifiable contracts. In January, Suma founder James Presswich argued that the Stargate bridge had the same problem. In December 2022, the Ankr protocol was used when the smart contract was updated to create 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) out of thin air. In Anker's case, the update was made by a former employee hacking the developer's database to obtain the passkey.
