Layer-2s

While Ethereum was the primary target in the Phemex exploit, with over 60% of stolen assets coming from Ethereum, XRP, Bitcoin, and Solana, the attackers also capitalized on major Layer 2 (L2) networks. Given their growing adoption in DeFi, L2s such as Optimism, Arbitrum, Base, Avalanche, and BSC became key battlegrounds in the attack.

These L2 solutions are designed to scale Ethereum, offering lower fees and faster transactions. However, their integration with Ethereum’s ecosystem also makes them susceptible to cross-chain exploits. In the Phemex hack, losses across EVM-compatible L2s alone exceeded $9 million, highlighting that attackers are increasingly targeting these networks.

On-Chain Activity Across L2s

By analyzing Phemex’s compromised hot wallets across multiple networks, we visualized the full scope of the exploit using our blockchain forensics tools. Below, we break down some of the major affected L2s:

1. Base (Layer 2 - Coinbase)

  • Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772

  • Exploiter: 0x392d99ec0348172c046cd64b85c21df0927ab946

  • Time of Breach: 11:52 UTC

  • Loss: ~$2M (ETH, USDC, Aerodrome, Degen, Luna by Virtuals, Brett, AgentLayer)

Attack Breakdown

The Phemex Base Exploiter drained ETH and USDC, prioritizing USDC as a freezable asset, before converting stolen tokens into ETH using the Odos Protocol for optimal liquidity.

Base Tracer shows ETH and USDC being drained, swapped, and eventually bridged.
Base Exploiter is draining ETH, USDC, and various ERC-20 tokens from the Phemex hot wallet.
Odos Protocol being used to swap various tokens for ETH

The final step involved bridging assets to Ethereum Mainnet via Stargate Protocol, effectively obscuring the origin of the stolen funds. Our Transaction Decoder enabled us to identify the destination chain ID, revealing where the bridged funds were sent.

Stargate Protocl being used to bridge fudns cross-chain

2. BNB Chain (Layer 2 - Binance)

  • Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772

  • Exploiter: 0x6c42f03d730b7643939fa1d00416cb2985ed9cf3

  • Time of Breach: 11:52 UTC

  • Loss: ~$3M (BNB, BUSD, BTCB, PancakeSwap Token)

Attack Breakdown

The Phemex BNB Exploiter drained multiple tokens, swapping all ERC-20 assets into BNB using ParaSwap for liquidity.

Phemex Exploiter draining Phemex Hot Wallet
ParaSwap is being used to swap various asstes into BNB

The stolen BNB was consolidated into the wallet 0xd760cc6f2d41e43309912d54a0955dbc8a77890f, marking the final stage of the exploit on BNB chain.

$3.33 M BNB being transferred to 0xd760c...

3. Other Layer 2s

Beyond Base and BSC, the attackers targeted additional Ethereum Layer 2 networks, each exploited for significant sums. These included Optimism, Arbitrum, and Avalanche, where attackers followed a similar pattern of asset drainage, liquidity swaps, and cross-chain movement.

Avalanche Hot Wallet getting drained out for $1.08 M
Exploiter stealing various tokens on ARB including ETH, USDC, USDT, ARB, GMX and XAI

And just like that, over $9 million disappeared across all Layer 2 networks within a few hours.

PreviousEthereumNextConclusion

Last updated