# Layer-2s

While Ethereum was the primary target in the Phemex exploit, with over 60% of stolen assets coming from Ethereum, XRP, Bitcoin, and Solana, the attackers also capitalized on major Layer 2 (L2) networks. Given their growing adoption in DeFi, L2s such as **Optimism, Arbitrum, Base, Avalanche, and BSC** became key battlegrounds in the attack.

These L2 solutions are designed to scale Ethereum, offering lower fees and faster transactions. However, their integration with Ethereum’s ecosystem also makes them susceptible to cross-chain exploits. In the Phemex hack, **losses across EVM-compatible L2s alone exceeded $9 million**, highlighting that attackers are increasingly targeting these networks.

## On-Chain Activity Across L2s

By analyzing Phemex’s compromised hot wallets across multiple networks, we visualized the full scope of the exploit using our blockchain forensics tools. Below, we break down some of the major affected L2s:

### 1. [Base](https://www.base.org/) (Layer 2 -[ Coinbase)](https://www.coinbase.com/en-ca)

* **Hot Wallet:** 0x50be13b54f3eebbe415d20250598d81280e56772
* **Exploiter:** 0x392d99ec0348172c046cd64b85c21df0927ab946
* **Time of Breach:** 11:52 UTC
* **Loss:** \~$2M (ETH, USDC, Aerodrome, Degen, Luna by Virtuals, Brett, AgentLayer)

#### Attack Breakdown

The Phemex Base Exploiter drained ETH and USDC, prioritizing USDC as a freezable asset, before converting stolen tokens into ETH using the [**Odos Protocol**](https://www.odos.xyz/) for optimal liquidity. 

<figure><img src="/files/XRx1249OyhWTEcRofQQ4" alt=""><figcaption><p>Base Tracer shows ETH and USDC being drained, swapped, and eventually bridged.</p></figcaption></figure>

<figure><img src="/files/rTGdAQalXQ8KIPIuqu9H" alt=""><figcaption><p>Base Exploiter is draining ETH, USDC, and various ERC-20 tokens from the Phemex hot wallet.</p></figcaption></figure>

<figure><img src="/files/SP41CHOY1nqsmLTi0qpx" alt=""><figcaption><p>Odos Protocol being used to swap various tokens for ETH</p></figcaption></figure>

The final step involved bridging assets to Ethereum Mainnet via [**Stargate Protocol**](https://stargate.finance/), effectively obscuring the origin of the stolen funds. **Our Transaction Decoder enabled us to identify the destination chain ID, revealing where the bridged funds were sent.**

<figure><img src="/files/H4bCxDVxJgSwBuoONrPE" alt=""><figcaption><p>Stargate Protocl being used to bridge fudns cross-chain</p></figcaption></figure>

### 2. [BNB Chain ](https://www.bnbchain.org/en)(Layer 2 - [Binance](https://www.binance.com/en))

* **Hot Wallet:** 0x50be13b54f3eebbe415d20250598d81280e56772
* **Exploiter:** 0x6c42f03d730b7643939fa1d00416cb2985ed9cf3
* **Time of Breach:** 11:52 UTC
* **Loss:** \~$3M (BNB, BUSD, BTCB, PancakeSwap Token)

#### Attack Breakdown

The Phemex BNB Exploiter drained multiple tokens, swapping all ERC-20 assets into BNB using [**ParaSwap**](https://www.paraswap.xyz/) for liquidity.&#x20;

<figure><img src="/files/s2TvvJPp7gxipwKQRRA5" alt=""><figcaption><p>Phemex Exploiter draining Phemex Hot Wallet</p></figcaption></figure>

<figure><img src="/files/QQO7nGesQsD744BuMtDW" alt=""><figcaption><p>ParaSwap is being used to swap various asstes into BNB</p></figcaption></figure>

The stolen BNB was consolidated into the wallet 0xd760cc6f2d41e43309912d54a0955dbc8a77890f, marking the final stage of the exploit on BNB chain.

<figure><img src="/files/e459CPh74sHtEqz9FkqF" alt=""><figcaption><p>$3.33 M BNB being transferred to 0xd760c...</p></figcaption></figure>

### 3. Other Layer 2s

Beyond Base and BSC, the attackers targeted additional Ethereum Layer 2 networks, each exploited for significant sums. These included **Optimism, Arbitrum, and Avalanche**, where attackers followed a **similar pattern of asset drainage, liquidity swaps, and cross-chain movement.**

<figure><img src="/files/FHCdUnCClmPWaYE2PmJH" alt=""><figcaption><p>Avalanche Hot Wallet getting drained out for $1.08 M</p></figcaption></figure>

<figure><img src="/files/w7MaTEvLM4cFtlHJzIhF" alt=""><figcaption><p>Exploiter stealing various tokens on ARB including ETH, USDC, USDT, ARB, GMX and XAI</p></figcaption></figure>

And just like that, over $9 million disappeared across all Layer 2 networks within a few hours.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://research.blockscope.co/the-phemex-heist-multichain-innovation-or-securit/layer-2s.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.