Transparency issues surround Ethereum L2 project Blast; $350 million worth of assets to be impacted

An Ethereum-based DeFi protocol, Blast, has accrued and locked nearly $350 million worth of ETH, USDT, DAI, and other tokens for the next three months.
The protocol is said to stake users' assets into Lido to earn yield, which has resulted in the surge of funds into the Dapp.
The protocol, however, has no testnet, transactions, bridge, rollup, or sending of transaction data to Ethereum.
Furthermore, the code allows for a no-limit withdrawal of the total funds staked onto the protocol.

The emergence of Decentralized Finance (DeFi) on Ethereum brought along the option of making money without having to rely on a central institution. This assured decentralization and safety, resulting in people flocking over to stake Decentralized applications (Dapp). But as always, the mob mentality is the biggest issue here, which might have just caused crypto investors to accept higher risks for future returns.

Mob mentality - The bane of Ethereum and crypto

An Ethereum protocol by the name of Blast has made headlines in the past 48 hours owing to the sudden inflow of funds onto the Dapp. Since November 22, the total value locked (TVL) on the asset has risen to almost $350 million at the time of writing.

Blast TVL

Users have been staking their assets, such as ETH, USDT, USDC, DAI, and stETH, on the promise of yields. However, what they might have missed is the fundamentals of the protocol that seems to lack transparency.

Blast token distribution

Brought to attention by Polygon Developer Relation Jarod Watts, the protocol has a very vulnerable code. Watts stated,

"Blast is not an L2.

The Blast smart contract:
1/ Accepts funds from users.
2/ Stakes users' funds into protocols like LIDO.

There's no testnet, no transactions, no bridge, no rollup, and no sending of transaction data to Ethereum.

It's not an L2.

By sending money to the Blast contract, you're basically trusting 3-5 strangers to stake your funds for you.

You won't be able to withdraw that money at any point in time unless those 3-5 people decide to do the right thing in the future.

Again, there's no bridge here.

According to the code of the protocol, the funds staked onto Blast cannot be withdrawn until the lock-in period ends, which will not happen until February 24, 2024. This gives the creators of Blast nearly three months to do as they will with the users' $350 million.

A lack of transparency raises concerns

Looking at the source code of the protocol, a particular function by the name of "enableTransaction" asks for a contract that can access all of the staked ETH and all of the staked DAI, which are the two biggest assets staked on the protocol.

Thus, through this function, all of the $350 million worth of tokens can be received by an Externally Owned Account (EOA) wallet such as MetaMask, Trust Wallet, etc. Furthermore, the function does not place restrictions on the amount of funds that can be withdrawn, making it virtually possible for the owner to extract all the tokens in a go.

The two main threats we've explored are:

1/ A malicious code upgrade is approved by the 3/5 multi-sig to steal funds.
2/ A malicious smart contract is made and set as the "mainnetBridge" smart contract to steal funds, again by a 3/5 multi-sig.

(21/24)
— Jarrod Watts (@jarrodWattsDev) November 23, 2023

This increases the concerns of not just users but the entire crypto market, as the surge in DeFi protocols could see more than one Dapp utilizing such a code. Additionally, this would grab the attention of regulators, making their crackdown more intense.

Blast is proving regulators’ point.

An onchain hedge fund controlled by a 3/5 anon multisig isn’t defi. It’s “trust me bro.”

And centuries of “trust me bro” is why financial regs exist.

Crypto’s value add—and why crypto needs diff regs—is trust reduction.

We can do better.
— orlando.btc (@Orlando_btc) November 23, 2023

This would also emerge as a key example of why regulation is necessary for the crypto market and why it should be done as soon as possible.

Share: Cryptos feed

Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.

FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.

The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.