Bybit’s Lazarus Security Lab revealed that several blockchain networks feature built-in functions that can freeze funds, casting doubt on decentralization, censorship resistance, and user control.
The results again raise questions about decentralization, censorship resistance, and how much control users really have over their assets.
After reviewing 166 blockchain networks, researchers found that 16 blockchains have direct fund-freezing features and another 19 could enable similar functions by way of small protocol changes. These mechanisms range from hard-coded logic and configuration-based permission to contract-level control.
The report, titled “Blockchain Freezing Exposed,” categorizes these systems into three main types: hard-coded logic, configuration file controls, and on-chain contract execution.
Hardcoded logic means the power to block wallet addresses is baked directly into the blockchain software itself. The arrangement is already available on networks like BNB Chain and VeChain.
A second approach, configuration file controls, grants the developer or validator the ability to enable or disable freezing via configuration files. Newer chains like Sui and Aptos use this approach.
The third category is the on-chain contract execution model, which depends on smart contracts that allow administrators to freeze or unfreeze wallets instantly through special commands. HECO and Klaytn are among the networks using this model.
The Lazarus team started its investigation after the Sui Foundation froze more than $160 million in stolen tokens following a major hack on the Cetus decentralized exchange earlier this year. The move was widely viewed as a success for protecting investors, but it also triggered difficult questions about who really holds power on “decentralized” networks.
Most of the other blockchains added freeze functionalities only after multimillion-dollar hacks. VeChain added its blacklist system in 2019 after a $6.6 million theft, and BNB Chain added similar functionality after it suffered a $570 million exploit in 2022.
While these tools aid in the recovery of funds from theft, they also enable different entities to interfere with steps that make them slowly drift from security towards centralization.
The report points out that freezing tools can protect users and help combat fraud, but they also risk undermining one of blockchain’s core values: freedom from centralized control.
More recently developed enterprise-focused blockchains are adding in such controls for meeting regulatory or compliance needs, but old ones like Bitcoin and Ethereum remain completely decentralized and do not provide a freeze function.
Some developers maintain that these systems are necessary to combat Anti-Money Laundering (AML) and fraud, while others see them as emergency tools. The Lazarus team maintains that the development of such powers must be made transparent and collectively governed, not at the discretion of any single authority.
To perform the research, the researchers employed AI tools that could scan open-source blockchain code on GitHub for freeze-related functions, blacklists, and validator permissions. A total of 166 projects were scanned, after which human experts manually confirmed the results.
This process showed that while some freezing functions were public, others were hidden deep within code repositories, indicating that not all users know just how much control network operators have.
The report points to a growing divide between open, permissionless blockchains that run purely on community consensus, and permissioned networks that give certain groups some control for security or compliance.
As blockchain moves deeper into finance and enterprise use, that gap is only getting wider. Developers now face a tricky question: how do you build systems that stay secure without giving up decentralization?
The study suggests that while decentralization is still a core value for most projects, there’s a slow but steady shift toward more controlled governance. It says the real challenge is making sure that kind of control stays transparent, limited, and used only when truly needed.