Analysts warn that the Blast contract is controlled by anonymous addresses. Users have invested over $300 million in the project
Polygon Labs and SlowMist experts claim that Blast is not a layer 2 network
24.11.2023 - 13:08
592
2 min
0
What’s new? Experts from blockchain developer Polygon and audit firm SlowMist have reported a vulnerability in the Blast project, which was launched by the Blur NFT marketplace team on November 21. According to the analysts, the project is based on a multi-signature contract with instant update capability that requires 3 out of 5 signatures to make changes. In turn, all five signature addresses are anonymous and recently created.
What else is known? In the event of an exploit or bad faith by the owners of the signature-enabled addresses, the Blast contract can instantly inject malicious code updates to steal funds.
The experts added that Blast, unlike other projects with similar features such as Arbitrum, is not a layer 2 (L2) network and is simply a smart contract that accepts deposits and invests them in revenue-generating protocols such as Lido, liquid ETH staking protocol.
Jarrod Watts of Polygon Labs emphasized that Blast has no testnet, bridges, or rollups, and does not even send transaction data to Ethereum.
“By sending money to the Blast contract, you’re basically trusting 3-5 strangers to stake your funds for you. You won’t be able to withdraw that money at any point in time unless those 3-5 people decide to do the right thing in the future,” the developer explained.
Notably, Blast currently lacks a withdrawal feature. According to the roadmap, it will be activated only on February 24 next year. At the same time, users have already blocked over $303 million in the project’s contract.
In turn, SlowMist founder Yu Xiang said that Blast is a centralized Web 2.0 project, which has received support from financial institutions. Thus, one of the investors of the project is the venture capital firm Paradigm, which previously supported the Blur marketplace.
Xiang expressed indignation that users do not study the technical features of the project, judging its reliability only by the presence of institutional partners.
Useful material?
Telegram 
Twitter Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Incidents
According to Blockaid, the attack may have been carried out by the same hacker behind the 1inch Fusion V1 exploit.
May 7, 2026
Incidents
The attacker gained administrative access and altered contracts to drain user funds
Apr 30, 2026
Cryptocurrency rates
-
Bitcoin
$64 353
BTC
-4.18%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.19
XRP
-3.03%
-
Dogecoin
$0.090441
DOGE
-3.59%
-
TRON
$0.160134
TRX
-1.59%
-
Zcash
$609.86
ZEC
-0.29%
-
Cardano
$0.198365
ADA
-7.63%
-
Stellar XLM
$0.210183
XLM
-6.4%
-
Polkadot
$3.32
DOT
+5.27%