Back to Blog

How L2 Blockchains Can Do Better to Protect Their Users

Phalcon
March 27, 2024

Why Security is Important for L2

Security is crucial for Layer 2 (L2) blockchains as they gain popularity. With advancements like the Dencun upgrade, gas prices on L2 are decreasing, making them more attractive. Additionally, the introduction of BTC L2 enhances liquidity in the L2 ecosystem, attracting more users.

Unlike Layer 1 (L1) blockchains that serve as a foundational infrastructure for various decentralized applications (Dapps), L2 chains typically focus on a specific type of application, creating a dedicated ecosystem. Therefore, operators of L2 blockchains need to prioritize the security of top Dapps in their ecosystem, as these applications often hold the majority of the Total Value Locked (TVL) on the chain. An attack on these top apps could lead to a collapse of the chain's ecosystem, as users' assets are concentrated in these applications.

Munchables Incidents

An example of the importance of security in L2 is the Munchables security incident on the Blast chain. On March 21 (UTC), a malicious contract was updated, and five days later, on March 26 (UTC), an attacker exploited the upgraded contract to steal around 62 million USD. The total assets at risk were 97 million USD, nearly 4% of the total TVL on the Blast chain. Fortunately, in this case, the attacker returned all the assets, resulting in a happy ending. However, it's important to note that relying on the attacker's goodwill is not a sustainable security strategy.

How L2 Operators Can Do Better

Layer 2 (L2) chains can implement several measures to enhance the security of top protocols and protect users' assets on the chain. Here are some suggestions from our perspective:

  • Establish a Security DAO: A decentralized autonomous organization (DAO) focused on security should be created to involve reputable security companies and community researchers. This would facilitate communication between the chain, decentralized applications (DApps), and the security community, helping protocols find trusted security providers and handle security incidents professionally.

  • Active Attack Monitoring and Automated Responses: Chain operators and the user community should actively monitor for potential hacks and have mechanisms in place to take automatic actions. For example, in the Munchables incident, there was a five-day window before the actual hack occurred. If the chain operator or the Munchables protocol had adopted a solution like BlockSec Phalcon (or similar), the hack could have been prevented.

  • Develop User-Friendly Security Tools: More intuitive security tools should be developed to help the community quickly understand the root cause of a security incident and take appropriate action. These tools could include transaction virtualization tools to understand complex transactions and fund flow tracking tools to trace the hacker's fund movements. By taking a proactive and responsible approach to security, L2 chain operators can enhance the overall security of their ecosystems and better protect the top protocols and users' assets on the chain.

BlockSec’s Solution

BlockSec, as a comprehensive security provider, offers various security services and tools to ensure the safety of protocols before and after deployment. These tools and services are widely utilized by the security community to analyze security incidents and trace stolen funds.

BlockSec Phalcon

Phalcon is a platform designed for monitoring hacks and automatically taking actions to block them. With Phalcon, users can receive early security intelligence and automate their responses to hacks. The system features flexible rules and templates for easy configuration, assisting Layer 2 (L2) chains in maintaining vigilance over the security of top protocols and fostering a thriving ecosystem. BlockSec is collaborating with leading L2 chains like Manta and Merlin to bolster the security of their ecosystems.

Figure 1: The official website of Phalcon
Figure 1: The official website of Phalcon

Phalcon Explorer

Phalcon Explorer is a transaction virtualization tool that provides detailed information about a transaction, including the invocation flow, storage changes, and transaction simulation. This tool is instrumental in analyzing hacks to understand their root causes. It has become a widely used tool in the security community and is considered the standard for security analysis.

Figure 2: The application of Phalcon Explorer
Figure 2: The application of Phalcon Explorer

MetaSleuth

MetaSleuth is a cryptocurrency tracking and investigation platform that traces fund flows between different addresses. Its intelligent analysis and ability to track cross-chain transactions make it an essential tool for conducting investigations.

Figure 3: The official website of MetaSleuth
Figure 3: The official website of MetaSleuth

Action Now to Protect Users Assets

If you are an operator of an L2 blockchain, contact us ([email protected]) to deploy BlockSec's tools into your chain to enhance the security of your ecosystem, attract more user assets, and protect them effectively.

Sign up for the latest updates
The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis
Security Insights

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis

This BlockSec deep-dive analyzes the KelpDAO $290M rsETH cross-chain bridge exploit (April 18, 2026), attributed to the Lazarus Group, tracing a causal chain across three layers: how a single-point DVN dependency enabled the attack, how DeFi composability cascaded the damage through Aave V3 lending markets to freeze WETH liquidity exceeding $6.7B across Ethereum, Arbitrum, Base, Mantle, and Linea, and how the crisis forced decentralized governance to exercise centralized emergency powers. The article examines three parameters that shaped the cascade's severity (LTV, pool depth, and cross-chain deployment count) and provides an exclusive technical breakdown of Arbitrum Security Council's forced state transition, an atomic contract upgrade that moved 30,766 ETH without the holder's signature.

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026

This BlockSec weekly security report covers four attack incidents detected between April 13 and April 19, 2026, across multiple chains such as Ethereum, Unichain, Arbitrum, and NEAR, with total estimated losses of approximately $310M. The highlighted incident is the $290M KelpDAO rsETH bridge exploit, where an attacker poisoned the RPC infrastructure of the sole LayerZero DVN to fabricate a cross-chain message, triggering a cascading WETH freeze across five chains and an Arbitrum Security Council forced state transition that raises questions about the actual trust boundaries of decentralized systems. Other incidents include a $242K MMR proof forgery on Hyperbridge, a $1.5M signed integer abuse on Dango, and an $18.4M circular swap path exploit on Rhea Finance's Burrowland protocol.

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026

This BlockSec weekly security report covers four DeFi attack incidents detected between April 6 and April 12, 2026, across Linea, BNB Chain, Arbitrum, Optimism, Avalanche, and Base, with total estimated losses of approximately $928.6K. Notable incidents include a $517K approval-related exploit where a user mistakenly approved a permissionless SquidMulticall contract enabling arbitrary external calls, a $193K business logic flaw in the HB token's reward-settlement logic that allowed direct AMM reserve manipulation, a $165.6K exploit in Denaria's perpetual DEX caused by a rounding asymmetry compounded with an unsafe cast, and a $53K access control issue in XBITVault caused by an initialization-dependent check that failed open. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.