A sandwich attack occurred on Last

In the early hours of December 1, a trader took to social media to say that the slippage limit for Blast’s USDT deposits was set at 10% by default. After a user initiates a transaction, the transaction is sandwiched by a $70 million DAI transaction in Curve 3pool. Within an hour, the attackers seized more than $100,000.

Subsequently, Blast posted on its social media platform about the compensation plan for the sandwich attack. Blast said that when a user deposits USDT, Blast Bridge converts to DAI in the deposit transaction. A misconfiguration of the slippage parameter on the UI caused a user to receive 100,000 less DAI than they should in 2 transactions. Blast said that the configuration error has been resolved and will send the affected users the amount lost due to slippage and an additional 10% bonus, totaling 110,000 USDT.

Blast added that after querying historical transactions, it was confirmed that only one user’s transactions were affected.

The community is still concerned about the safety of Blast

It took only about ten minutes between the time the trader said the attack was possible and when Blast gave a solution. However, the community is still concerned about the security of Blast, believing that it is not the same L2 as Ethereum. Some community users have even said that Blast “stop calling it a bridge”.

In the comment section of Last’s official tweet, some users said that they could not understand how the “miscalculated slippage parameter” caused $200,000 in USDT to be exchanged for $100,000 in DAI. He doesn’t understand how MEV would allow this kind of trading to happen, even if he set the slippage at 50% for some crazy reason.

Since the original transaction amount has not been officially announced, it is impossible to speculate whether Blast’s handling is reasonable, but the concerns of community users also reflect that Blast is not fully trusted by the market today.

Since Blur founder Pacman announced the launch of Blast on November 21, Blast’s TVL has reached $640 million in 10 days as of December 1.

However, the rapidly soaring TVL data has led to a big discussion in the market about its security risks, and Polygon engineers have bluntly said that “this is not L2”, he said that Blast is just a smart contract with two functions: 1. Accept users’ funds. 2. Invest users’ funds in protocols such as Lido. There are no testnets, no transactions, no bridges, no rollups, and no transaction data sent to Ethereum.

Later, Blast issued a statement in response to security questions, saying that one of the multisig addresses would be updated within a week, and said that the contract was set for security reasons.

Blast’s view is that “as long as the project itself is not evil, there is no time lock, and smart contracts can be upgraded, it is a safer choice.” But are users willing to trust Last?