Anonymous

Polygon Labs engineer: Currently, Blast is not an L2, and the contract is controlled by a 3/5 multi-signature from anonymous new addresses

ChainCatcher news, Polygon Labs developer relations engineer Jarrod Watts stated that the Blast contract is an upgradeable contract controlled by a 3/5 multi-signature, with all 5 addresses being anonymous new addresses. Blast has the potential to execute code upgrades and immediately steal funds through multi-signature, although many other Layer 2 solutions, including Arbitrum, currently have the same capability. However, the current Blast is not Layer 2, but merely a smart contract that accepts user funds and invests them in protocols like Lido. There is no testnet, no transactions, no bridges, no rollups, and no transaction data sent to Ethereum. If the 3/5 multi-signature controlling the contract does not "do the right thing" in the future, users will not be able to withdraw the money deposited in the Blast contract at any time.Yuxian, the founder of Slow Mist, commented that the Blast contract is indeed an upgradeable contract as Jarrod Watts mentioned, controlled by a 3/5 multi-signature (the identities of the 5 individuals are unknown) and without a time lock. If they want to run away, they can either upgrade to a malicious logic contract or set a malicious mainnetBridge with enableTransition. Currently, apart from the contract deployed on Ethereum, Blast's other activities are centralized Web2 project spin-offs, but there are several well-known institutions backing it. Users tend to trust projects that have institutional endorsements.

Kannagi Rug Pull address received anonymous communication, requiring the thief to return the funds within 48 hours

ChainCatcher message, on-chain data shows that the DeFi project Kannagi Finance on zkSync Era received an anonymous communication about 3 hours ago. The specific content is as follows:"Hello, Kannagi project leader. Regarding your rug event, we are communicating with you on behalf of a domestic victim group of $600,000.The funds you rug pulled are the life savings of many people, destroying many families. The related domestic victims have organized a strong and united community.We have collected evidence from many KOLs and well-known platforms promoting this project, as well as relevant individuals to assist in the investigation, and have sorted out your past operations on multiple projects and the operational traces and paths of all associated wallets.We have also contacted security companies both domestically and internationally to intervene and track; we have reached out to relevant centralized exchanges, as well as the auditing company for your project and related on-chain platforms that are fully cooperating with the investigation.Currently, we have compiled all the case materials and have grasped your obvious operational trace vulnerabilities. Our community members will report to the police across the country, and this will become a collective case handled by multiple departments in various locations nationwide.We give you 48 hours to contact us to discuss the return of the illegally obtained funds, otherwise, once law enforcement takes over, there will be no turning back. If there is no response after the deadline, we will also establish a reward pool of 20% of the involved funds to reward whistleblowers who provide clues to capture you or recover all funds.Are you really sure that all the operations you have conducted over the years have no vulnerabilities?"Previously, on July 29, the DeFi project Kannagi Finance on zkSync Era experienced a rug pull, and its official Twitter account has been deactivated.
ChainCatcher Building the Web3 world with innovators