Blast L2 hack prompts debate over centralization of Ethereum rollups
Yesterday’s $62 million hack of NFT-gaming project Munchables caused a stir amongst the crypto community, with calls for Blast’s core team to manually undo the damage on the centralized rollup.
Fortunately, such controversial action turned out to be unnecessary. Once it became clear that they were unable to get away with their ill-gotten gains, the rogue developer responsible for the theft returned the funds to the Blast team.
Read more: Crypto game exploited for $4.6M, hacker claims to be white-hat
As with The DAO hack on Ethereum in 2016, the incident forces us to consider the implications of interfering with what are supposed to be immutable ledgers.
The hack
Although the ‘hack’ itself was simple, it had been planned well in advance.
Before launch, a rogue developer used their admin access to assign themselves a hefty ether balance in a previous, unverified implementation of the Munchables contract.
Later, when deposits began to stream into the upgraded contracts, the exploiter’s address had plenty of ETH to drain the funds, withdrawing approximately 17,400 ETH, worth over $62 million at the time.
The developer also had admin access to a contract holding over $30 million in funds deposited by another Blast-based project, Juicebox. Centralization risk was identified as low severity in the project’s audit, and the developer’s preparations seemingly went unnoticed.
The culprit
Blockchain sleuth ZachXBT initially suspected that the developer responsible was part of the DPRK’s Lazarus Group of state-sponsored hackers, pointing the finger at a GitHub profile named ‘Werewolves0493.’
He also suggested that four of the project’s ‘developers’ may in fact be the same individual, as they were linked by on-chain transfers and through deposits to shared exchange addresses.
PixelCraft Studios’ CEO, who goes by coderdan.eth on X (formerly Twitter), shared his run-in with the same developer, who was fired “within a month.” Judging by deposits to their Binance addresses, ChainArgos believe the developer has had a handful of short-term jobs over the past 18 months.
Whether this individual was connected to Lazarus or not, attempting to infiltrate crypto teams is a known technique used by the hacking group.
The dilemma
Ever since the US Treasury’s sanctioning of crypto mixer Tornado Cash, credible censorship resistance has become an important measure of a blockchain’s decentralization. The hope is that if there’s no single entity to accuse of interacting with sanctioned addresses, then there’s nobody to prosecute.
Likewise, though, if a US-based development team has sufficient admin powers to revert the effects of hacks or the actions of sanctioned entities, it may find itself obliged to do so.
Precedents have been set in the past. Last year, Jump Crypto conducted a ‘counter-exploit’ to recover the 120,000 ETH lost in 2022’s Wormhole hack, worth over $300 million at the time.
Also in 2022, Binance-linked BNB Chain was halted by its validators, ensuring that the proceeds of a $600 million bridge hack couldn’t be siphoned to other, less censorable chains.
Blast itself isn’t exactly a prime example of crypto’s ‘trustlessness’ ethos, nor is it a paragon of decentralization.
Read more: Critics decry Blast as the latest sketchy scheme on Ethereum
When Blast was launched, alongside a FOMO-inducing points program, it offered ‘native yield’ on ETH and stablecoins, despite deposits simply going into a multisig wallet while the network itself was being built.
Blast’s status as a mostly experimental sandbox which doesn’t prioritize decentralization as much as other networks led some to believe that using centralized powers to manually revert unsavoury activities should be encouraged in order to make users whole.
But others argue that such a move could be seen as a sign of approval for other centralized rollups (e.g. Optimism and Base) that might be forced to censor their network activity.
The DAO
The debate brought back memories of 2016’s The DAO hack which, incidentally, involved a similar dollar amount lost (3.6M ETH, which would be worth almost $13B today).
Read more: Ethereum’s Dencun causes ‘Blast’ layer 2 outage
The ‘hard fork’, designed to reverse the damage, resulted in a chain split leading to today’s Ethereum mainnet and the continuation of the pre-fork chain, now known as Ethereum Classic.
Given the frequency at which Ethereum users have been exposed to losses of $60 million and above since then, a hard fork to remedy a hack seems almost unthinkable.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.