Blast L2 hack prompts debate over centralization of Ethereum rollups Yesterday’s $62 million hack of NFT-gaming project Munchables caused a stir amongst the crypto community, with calls for Blast’s core team to manually undo the damage on the centralized rollup.Fortunately, such controversial action turned out to be unnecessary.Once it became clear that they were [unable](https://twitter.com/nearisbuilding/status/1772823018869329983) to get away with their ill-gotten gains, the rogue developer responsible for the theft returned the funds to the Blast team.Read more: [Crypto game exploited for $4.6M, hacker claims to be white-hat](https://protos.com/crypto-game-exploited-for-4-6m-hacker-claims-to-be-white-hat/) As with The DAO hack on Ethereum in 2016, the incident forces us to consider the implications of interfering with what are supposed to be immutable ledgers.
The hack Although the ‘hack’ itself was simple, it had been [planned](https://twitter.com/0xQuit/status/1772764460647846273) well in advance.Before launch, a rogue developer used their [admin](https://twitter.com/peckshield/status/1772761076259848465) access to assign themselves a hefty ether balance in a previous, unverified implementation of the Munchables contract.Later, when deposits began to stream into the upgraded contracts, the exploiter’s [address](https://blastscan.io/address/0x6e8836f050a315611208a5cd7e228701563d09c5) had plenty of ETH to drain the funds, [withdrawing](https://blastscan.io/tx/0x9a7e4d16ed15b0367b8ad677eaf1db6a2a54663610696d69e1b4aa1a08f55c95) approximately 17,400 ETH, worth over $62 million at the time.
The developer also had admin access to a contract holding over $30 million in funds deposited by another Blast-based project, [Juicebox](https://twitter.com/Juice_Finance/status/1772752884725088454).
Centralization risk was [identified](https://twitter.com/WazzCrypto/status/1772755925222236257) as low severity in the project’s audit, and the developer’s preparations seemingly went unnoticed.The culprit Blockchain sleuth ZachXBT initially [suspected](https://twitter.com/zachxbt/status/1772742027391697009) that the developer responsible was part of the DPRK’s Lazarus Group of state-sponsored hackers, pointing the finger at a GitHub profile named ‘Werewolves0493.’ He also [suggested](https://twitter.com/zachxbt/status/1772843238539325947) that four of the project’s ‘developers’ may in fact be the same individual, as they were linked by on-chain transfers and through deposits to shared exchange addresses.PixelCraft Studios’ CEO, who goes by coderdan.eth on X (formerly Twitter), shared his [run-in](https://twitter.com/coderdannn/status/1772820871478223074) with the same developer, who was fired “within a month.” Judging by deposits to their Binance addresses, ChainArgos [believe](https://twitter.com/ChainArgos/status/1772884592552452594) the developer has had a handful of short-term jobs over the past 18 months.Whether this individual was connected to Lazarus or not, [attempting](https://twitter.com/jonwu_/status/1520072367069876224) to infiltrate crypto teams is a known technique used by the hacking group.The dilemma Ever since the US Treasury’s [sanctioning](https://protos.com/explainer-what-to-know-about-crypto-mixer-tornado-cash/) of crypto mixer Tornado Cash, credible censorship resistance has become an important measure of a blockchain’s decentralization.The hope is that if there’s no single entity to accuse of interacting with sanctioned addresses, then there’s nobody to prosecute.
Likewise, though, if a US-based development team has sufficient admin powers to revert the effects of hacks or the actions of sanctioned entities, it may find itself obliged to do so.
Precedents have been set in the past.Last year, [Jump Crypto](https://protos.com/a-look-at-jump-crypto-and-its-shady-past/) conducted a ‘counter-exploit’ to [recover](https://blockworks.co/news/jump-crypto-wormhole-hack-recovery) the 120,000 ETH lost in 2022’s Wormhole hack, worth over $300 million at the time.Also in 2022, Binance-linked BNB Chain was halted by its validators, ensuring that the proceeds of a [$600 million bridge hack](https://protos.com/explained-how-600m-was-stolen-from-binances-bnb-chain/) couldn’t be siphoned to other, less censorable chains.Blast itself isn’t exactly a prime example of crypto’s ‘trustlessness’ ethos, nor is it a paragon of decentralization.Read more: [Critics decry Blast as the latest sketchy scheme on Ethereum](https://protos.com/critics-decry-blast-as-the-latest-sketchy-scheme-on-ethereum/) When Blast was launched, alongside a FOMO-inducing points program, it offered ‘native yield’ on ETH and stablecoins, despite deposits simply going into a multisig wallet while the network itself was being built.
Blast’s status as a mostly experimental sandbox which doesn’t prioritize decentralization as much as other networks led some to [believe](https://twitter.com/WazzCrypto/status/1772764521775386639) that using centralized powers to [manually revert](https://twitter.com/0xCygaar/status/1772752423561404480) unsavoury activities should be [encouraged](https://twitter.com/bax1337/status/1772755821178306603) in order to make users whole.
But others [argue](https://twitter.com/hudsonjameson/status/1772856018285801607) that such a move could be seen as a sign of approval for other centralized rollups (e.g.Optimism and Base) that might be forced to censor their network activity.The DAO The debate brought back [memories](https://twitter.com/0xG00gly/status/1772755020099792956) of 2016’s The DAO hack which, incidentally, involved a similar dollar amount lost (3.6M ETH, which would be worth almost $13B today).Read more: [Ethereum’s Dencun causes ‘Blast’ layer 2 outage](https://protos.com/ethereums-dencun-causes-blast-layer-2-outage/) The ‘hard fork’, designed to reverse the damage, resulted in a chain split leading to today’s Ethereum mainnet and the continuation of the pre-fork chain, now known as Ethereum Classic.
Given the frequency at which Ethereum users have been exposed to losses of $60 million and above since then, a hard fork to remedy a hack seems almost unthinkable.Got a tip? Send us an email or ProtonMail.For more informed news, follow us on [X](https://twitter.com/protos), [Bluesky](https://bsky.app/profile/protos.bsky.social), and [Google News](https://news.google.com/publications/CAAqBwgKMLmroQsw0bW5Aw), or subscribe to our [YouTube](https://youtube.com/protosmedia) channel..
