Blast L2-hack giver anledning til debat om centralisering af Ethereum-rollups

Yesterday’s $62 million hack of NFT-gaming project Munchables caused a stir amongst the crypto community, with calls for Blast’s core team to manually undo the damage on the centralized rollup.

Fortunately, such controversial action turned out to be unnecessary. Once it became clear that they were ude af stand to get away with their ill-gotten gains, the rogue developer responsible for the theft returned the funds to the Blast team.

$97 millioner er blevet sikret i en multisig af Blast-kernebidragydere. Tog et utroligt løft i baggrunden, men jeg er taknemmelig for, at ex munchables-udvikleren valgte at returnere alle midler til sidst, uden at der kræves nogen løsesum. @_munchables_ og protokoller, der integreres med det som @juice_finance...
— Pacman | Blur + Blast (@PacmanBlur) Marts 27, 2024

Læs mere: Krypto-spil udnyttet for $4.6 millioner, hacker hævder at være hvid-hat

As with The DAO hack on Ethereum in 2016, the incident forces us to consider the implications of interfering with what are supposed to be immutable ledgers.

Hacket

Although the ‘hack’ itself was simple, it had been planlagt i god tid.

Before launch, a rogue developer used their admin access to assign themselves a hefty ether balance in a previous, unverified implementation of the Munchables contract.

Later, when deposits began to stream into the upgraded contracts, the exploiter’s address had plenty of ETH to drain the funds, withdrawing approximately 17,400 ETH, worth over $62 million at the time.

The developer also had admin access to a contract holding over $30 million in funds deposited by another Blast-based project, Juice brik. Centralization risk was identificeret as low severity in the project’s audit, and the developer’s preparations seemingly went unnoticed.

Synderen

Blockchain sleuth ZachXBT initially mistænkt that the developer responsible was part of the DPRK’s Lazarus Group of state-sponsored hackers, pointing the finger at a GitHub profile named ‘Werewolves0493.’

Også ham foreslog that four of the project’s ‘developers’ may in fact be the same individual, as they were linked by on-chain transfers and through deposits to shared exchange addresses.

PixelCraft Studios’ CEO, who goes by coderdan.eth on X (formerly Twitter), shared his løb ind with the same developer, who was fired “within a month.” Judging by deposits to their Binance addresses, ChainArgos Tro the developer has had a handful of short-term jobs over the past 18 months.

Whether this individual was connected to Lazarus or not, forsøger to infiltrate crypto teams is a known technique used by the hacking group.

Dilemmaet

Ever since the US Treasury’s sanctioning of crypto mixer Tornado Cash, credible censorship resistance has become an important measure of a blockchain’s decentralization. The hope is that if there’s no single entity to accuse of interacting with sanctioned addresses, then there’s nobody to prosecute.

Likewise, though, if a US-based development team has sufficient admin powers to revert the effects of hacks or the actions of sanctioned entities, it may find itself obliged to do so.

Precedents have been set in the past. Last year, Jump Crypto conducted a ‘counter-exploit’ to recover the 120,000 ETH lost in 2022’s Wormhole hack, worth over $300 million at the time.

Also in 2022, Binance-linked BNB Chain was halted by its validators, ensuring that the proceeds of a $600 million bridge hack couldn’t be siphoned to other, less censorable chains.

Blast itself isn’t exactly a prime example of crypto’s ‘trustlessness’ ethos, nor is it a paragon of decentralization.

so people sent billions to a multisig to farm points with the promise of a centralised L2 with forked code from OP without fraud proofs
and now some think decentralisation matters to them? lmeow
— Cattin☆彡 (@Cattin0x) Marts 26, 2024

Læs mere: Kritikere afviser Blast som det seneste sketchy-skema på Ethereum

When Blast was launched, alongside a FOMO-inducing points program, it offered ‘native yield’ on ETH and stablecoins, despite deposits simply going into a multisig wallet while the network itself was being built.

Blast’s status as a mostly experimental sandbox which doesn’t prioritize decentralization as much as other networks led some to Tro that using centralized powers to manually revert unsavoury activities should be tilskyndes in order to make users whole.

But others argumentere that such a move could be seen as a sign of approval for other centralized rollups (e.g. Optimism and Base) that might be forced to censor their network activity.

DAO

The debate brought back erindringer of 2016’s The DAO hack which, incidentally, involved a similar dollar amount lost (3.6M ETH, which would be worth almost $13B today).

Yep, this was my point: back then that dollar amount was a significant portion of the supply and an existential risk to the chain.
Nowadays $60m is just another Tuesday in North Korea.
— Googly (👀,🫡) (@0xG00gly) Marts 26, 2024

Læs mere: Ethereums Dencun forårsager 'Blast' lag 2-udfald

The ‘hard fork’, designed to reverse the damage, resulted in a chain split leading to today’s Ethereum mainnet and the continuation of the pre-fork chain, now known as Ethereum Classic.

Given the frequency at which Ethereum users have been exposed to losses of $60 million and above since then, a hard fork to remedy a hack seems almost unthinkable.

Har du et tip? Send os en e-mail eller ProtonMail. For mere informerede nyheder, følg os på X, Instagram, blueskyog Google Nyheder, eller abonner på vores YouTube kanal.

Source: https://protos.com/blast-l2-hack-prompts-debate-over-centralization-of-ethereum-rollups/