Security concerns found in Ethereum L2 solution Blast: Resonance Security

Blast, the new Ethereum Layer 2 solution, has some security concerns, according to a research report by cybersecurity company Resonance Security . Blast has quickly gained traction in the crypto industry. It promises points, airdrops, jackpots, native staking yields, and gas revenue sharing. But Resonance says Blast should improve its security measures.

From its announcement to its launch, Blast accepted ETH deposits through a one-way bridge. This allowed users to accumulate native yield and Blast Points, promising early adopters entry into a future airdrop. 

Source: L2Beat

Despite criticism from major financial backers like Paradigm, this strategy boosted Blast’s popularity. It attracted $600 million in its first week, reaching over $1 billion by January 2024. As of now, Blast’s total value locked (TVL) stands at $3.16 billion, making it the fourth-largest EVM L2.

Users can deposit ETH onto Blast in exchange for liquid L2 tokens. The deposited ETH is staked in Lido staking pools via Blast smart contracts, earning a 4% interest rate. 

For stablecoins, users bridge them to Blast for USDB, Blast’s official stablecoin, which generates yield through MakerDAO’s T-bill protocol with a 5% interest rate. USDB can be redeemed for DAI when bridged back to Ethereum.

Blast Gold is awarded to dApps built on the chain, rewarding them for using Blast-native features, and is distributed manually every 2-3 weeks or during jackpot events.

Blast inherits security concerns

According to Resonance, Blast’s reliance on third-party DeFi protocols like Lido and MakerDAO introduces potential risks. If any yield-generating pools or protocols on these platforms are compromised, the associated tokens of Blast users will also be affected. This dependence on Lido and MakerDAO’s security to protect users’ funds could lead to financial issues for Blast users.

How Blast’s smart contract works. Source: L2Beat

Previously, HTX Square pointed out that Blast’s LaunchBridge contract (0x5f…a47d) is not a rollup bridge but a “custodial contract protected by a 3/5 multisig address.” Jarrod Watts of Polygon Labs also raised concerns about these multisig addresses, saying that they are newly created and their owners are unknown. 

Source: Jarrod Watts

CryptoHopper questioned Blast’s claim of being an L2, stating, “Blast lacks the necessary validity proofs for an L2 state root and does not have an anti-fraud mechanism in place.” Resonance thinks Blast’s Risk Summary further corroborate these concerns.

Source: L2Beat

Resonance also looked into Lido and MakerDAO’s security protocols. MakerDAO has not published a security audit of their smart contracts in three years, with some audits dating back five years. 

This is concerning because smart contracts can be susceptible to newly discovered vulnerabilities and should be audited periodically. Resonance states that a quick query for smart contract CVEs in the NIST National Vulnerability Database returned 584 records published between 2018 and 2024. While specific contracts may not be susceptible to all these CVEs, they are likely susceptible to some.

Maintaining smart contract security requires a multi-faceted approach, including pre-deployment and periodic security audits and bug bounty programs.

“Regular communication and joint security testing can also help validate these standards and improve upon them over time.”

Resonance Security

Smaller projects need to be meticulous when choosing their third-party providers. Proactively vetting third-party options for strict security standards can save projects many headaches in the long run. If third-party options do not meet a project’s required standards, developing in-house solutions might be a safer alternative. As long as the project has the resources to do so. 

This allows for complete control over the security. Forming partnerships or alliances with other projects can help collectively advocate for better security practices with larger third-party providers. A united front will have more influence than individual efforts, said Resonance.

Jai Hamid