How it worksCompetitionsReviewsGuildsBountiesPortfolioBlog
Sign in

Blast / Blast




Blast Competition

Welcome security researchers to the largest competition in history with Blast! Blast is an L2 for the Ethereum ecosystem introducing native yield for ETH and stablecoins.

Say goodbye to flipping tabs, using Discord, copying Github links, and the nuisances of the competition experience of the past and hello to...

Cantina Code. The ultimate code review experience built by security researchers for security researchers. It is our pleasure to have you - we hope you choose to stick around 🪐

What is Blast

How Blast works


Users transact in ETH. Dapps are built around ETH. Blast was designed from the ground up so that ETH itself is natively rebasing on the L2.


Blast only became possible this year following Ethereum's Shanghai upgrade. ETH yield from L1 staking, initially Lido, is automatically transferred to users via rebasing ETH on the L2.


Users who bridge stablecoins receive USDB, Blast's auto-rebasing stablecoin. The yield for USDB comes from MakerDAO's on-chain T-Bill protocol. USDB can be redeemed for USDC when bridging back to Ethereum.

Visit the for a complete project overview.

Prize distribution and scoring

  • The prize distribution has 3 possible triggers:
    • If one or more valid low/informational severity findings are found, the total pot size is $20,000
    • If one or more valid medium severity findings are found, the total pot size is $200,000
    • If one or more valid high severity findings are found, the total pot size is $1,200,000
  • Scoring described in the competition scoring page.
  • $20,000 of the prize pot is reserved for Low Severity or informational findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.
    • 1st: 10,000
    • 2nd: 5,000
    • 3rd: 2,500
    • 4th: 1,250
    • 5th: 1,250
  • Note that for Low / Info findings, we want to encourage high-quality non-trivial submissions. Given that the codebase has gone through multiple reviews before, and due to the large number of participants, we’ll be marking any trivial low / info findings as invalid (these are typically findings generated from a static-analyzer). To reiterate, the above pot is judged on quality alone and not quantity.
  • Findings Severities described in detail on our docs page.


Check out the previously recorded code read through for the competition:

Blast Competition Live Code Walkthrough LINK TBD.

Combined Repo

See the diff against ea28fd1a46e71f207954d60524bd82ee1df61235 which represents upstream to see our unique changes on the OP stack here.



Files and Folders in Scope

blast-geth*, excluding *_test.go, ./tests/*, gen_*.go

Additional Out of Scope files


Out of Scope issues

Any acknowledged / won't fix findings on the previously published reviews will be considered out of scope.

Findings noted as fixed, that in fact are not fixed, or introduce new issues, are considered in scope:

Spearbit: Blast Node Review

All Informational findings are acknowledged. The remaining are noted below:

  • acknowledge / won't fix:
    • 5.3.13 Share remainder becomes increasingly inefficient over time
    • 5.3.12 SubClaimableAmount() can claim more than the maximum claimable balance
    • 5.3.11 Configuring a YieldClaimable account to YieldClaimable resets the claimable balance
    • 5.3.9 To implement TODOs found in the code risking node ops
    • 5.3.3 op-geth/core/vm/contracts.go change makes multiple methods less efficient
  • fixed:
    • 5.1.1 Gas tracking introduces resource consumption related DOS
    • 5.3.10 SelfDestruct permanently deletes all unclaimed yield
    • 5.3.8 No nil check on ZeroClaimRate
    • 5.2.1 MemoryStateDB contains data race in DeleteState()
    • 5.3.7 AllocateDevGas() divide-by-zero can cause denial of service
    • 5.3.6 (b *blast) Run() caller authorization conditionals should be placed before input deserialization
    • 5.3.5 AllocateDevGas() contains redundant hashing
    • (partially addressed -> 1 panic removed, remaining acknowledged) 5.3.4 Invariant panics risk node operation
    • 5.3.2 USDB predeployment is skipped
    • 5.3.1 (i ImmutableConfig) Check() is missing validation checks for new Blast fields

Spearbit: Blast Contracts Review

  • acknowledge / won't fix:
    • 5.2.2 commitYieldReport() will revert when withdrawing insurance to cover negative yield
    • 5.3.6 Fraud recovery logic is missing
    • 5.4.7 WETHRebasing virtual share earns yield
    • 5.4.8 Gas claim rate is non-continuous
    • 5.4.11 claimGasAtMinClaimRate uses all etherSeconds when minClaimRateBips <= zeroClaimRate
    • 5.4.12 etherSeconds can be saved up to be used on vesting subsequent gas claims
    • 5.4.13 USDC to DAI conversion can fail once debt limits are exceeded
  • fixed:
    • 5.2.3 WETHRebasing share price precision issue breaks ERC20 invariants
    • 5.1.4 Changing yield from Claimable cause fund loss
    • 5.1.5 Calling findCheckpointHints() with _firstIndex as 0 will always revert
    • 5.1.6 Withdrawing discounted ETH from L2 always fails
    • 5.1.7 Fund duplication via ERC20 self-transfer
    • 5.1.8 Message can be passed through OptimismPortal to maliciously call ethYieldManager
    • 5.1.3 _delegatecall_uint256_arr_arg_returns_uint256 wrong calldata encoding
    • 5.1.2 L1BlastBridge uses wrong token order when bridging USD yield tokens
    • 5.1.1 msg.sender has to be un-aliased in L2BlastBridge.finalizeBridgeETHDirect()
    • 5.2.1 Inflated _sharePrice() from inclusion of lockedAmount funds
    • 5.2.4 Unset governor allows to steal both yield and gas refund
    • 5.2.5 Unsafe ERC-20 transfer breaks USDT bridging in L1BlastBridge
    • 5.2.6 ETH yield token bridge transactions use fixed gas and are not replayable
    • (resolved by another fix) 5.3.7 Initial depositor can inflate share to siphon yield of smaller deposits
    • 5.3.8 Reinitialization causes metering parameter to be reset
    • 5.3.9 admin in the Insurance contract can never be set
    • 5.3.10 donateETH funds are stuck in OptimismPortal
    • 5.3.11 Actual claim rate may be below minClaimRateBips
    • 5.3.1 YieldManager.finalize can underflow for accumulatedNegativeYields
    • 5.3.3 YieldManager can claim fewer unstaked tokens than expected resulting in insolvency
    • 5.3.4 USDConversions can swap locked funds
    • 5.3.5 YieldManager can stake locked funds
    • 5.4.6 Missing onlyEOA modifier
    • 5.4.9 Standard ERC20Permit allows different name initialisation in constructor and initialiser
    • 5.4.10 Claiming gas can run out of gas in transfer
    • 5.4.14 Unsafe type casts
    • 5.4.5 LidoYieldProvider.isStakingEnabled is incorrect
    • 5.4.4 Non-zero Maker's PSM buyGem() fee will cause DAI to USDC swaps to fail
    • 5.4.3 DSRYieldProvider.sol.isStakingEnabled() does not check liveness of Maker's protocol
    • 5.4.2 Blast.claimYield() should revert when claiming more than the available amount
    • 5.4.1 Admin should not be allowed to revoke its role

3rd external review: TBA

Blast team notes there is sufficient overlap with other already noted fixed or out of scope items.

Other Out of Scope

Automated findings from 4naly3er.

Errors Tests, Mocks, Documentation files are considered out of scope. The exception being where implementation code does not adhere to spec (i.e. implementation errors in scope vs docs typos out of scope).

The following categories of issues are out of scope for this competition.

  • Issues that posit a malicious sequencer operator
  • Issues related to centralization concerns
  • Concerns about the incentives for smart contracts to optimize their gas given that they can claim the sequencer fees caused by their contracts
  • Concerns about regulating Blast's block space since smart contracts can claim their sequencer fees
  • Frontrunning yield updates
  • Increasingly inefficient balance representations caused by Blast's limited precision, constantly increasing share prices
  • Locked funds caused by the sequencer operator finalizing withdrawal requests that turned out to be faulty (i.e. the output root changed)
  • Inability to replay stETH deposits that failed on the L2


MiloTruck has put together a fantastic compilation of intro resources for understanding Blast at a base-level here.

Build Instructions

Running Blast locally (against a local L1)

Contact Us

For any issues or concerns regarding Cantina Competitions or Cantina Code - please reach out to us at Cantina.




Total reward:

$1,200,000 USDC

Start date:

30 Jan 2024 8:15pm (local time)

End date:

20 Feb 2024 8:00pm (local time)

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.



© 2024 Cantina. All rights reserved.