In the rapidly evolving world of blockchain, Layer 1 (L1) and Layer 2 (L2) solutions are at the forefront of innovation. But with great power comes great responsibility—which means truly great security. We've had the privilege of working with some of the most exciting disruptors in the L1/L2 space, like Blast, Optimism, Base, Bitcorn, and Berachain. Let's dive into why securing these platforms is crucial and what some of the biggest innovators in the industry are doing right.

### **Why L1/L2 Security Matters**

L1s and L2s aren't just any blockchain projects. They're the backbone of entire ecosystems, often handling millions of users and billions in total value locked (TVL). This makes them prime targets for sophisticated attackers.

The stakes are higher than they’ve ever been. A single vulnerability can be catastrophic, both for the platform and its ecosystem. Consider the [Harmony bridge hack](https://cryptonews.com/news/fbi-says-north-korea-was-behind-100m-harmony-horizon-bridge-hack/), which quickly killed the whole project. In the [Ronin breach](https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit/), poor key management nearly led to massive losses (and if you’re paying attention, same hackers by the way). If you think it won’t happen to you, ask these teams if they thought the same. These preventable hacks show us that robust security measures in L1s and L2s are absolutely mission-critical.

The permissionless nature of these systems means that anyone who spots a vulnerability can potentially exploit it. We've seen this play out in devastating ways. The attackers who [exploited the bug in Flashbot’s cutting-edge relay](https://www.coindesk.com/tech/2024/05/16/how-2-brothers-allegedly-cheated-a-noxious-but-accepted-ethereum-practice-for-25m/) were young MIT grads who identified and exploited a vulnerability. The [Indexed Finance hack](https://decrypt.co/83681/defi-protocol-indexed-finance-hacked-for-16-million-team-finds-hacker) was carried out by a single programmer. And the [Euler hack](https://cointelegraph.com/news/euler-finance-attack-how-it-happened-and-what-can-be-learned) demonstrated how even seemingly secure protocols can be compromised (which could have led them to recently host the largest competition in crypto history with us).

And we hate to break it to you, but these aren't isolated incidents. The notorious Lazarus Group, believed to be linked to North Korea, has been implicated in numerous high-profile crypto hacks. Their activities underscore the fact that even nation-state actors are actively targeting blockchain projects to steal sensitive information.

The real-world consequences of these vulnerabilities are stark. Harmony, for instance, was a rapidly growing chain that saw its future totally derailed by a single hack. These incidents go beyond financial losses, they also erode trust, stunt innovation, and in rare cases, set back the entire industry.

### **Alpha From the Trenches**

We've had the privilege of working with some of the most exciting disruptors in the L1/L2 space, each with its own unique challenges and approaches to security. At the time of this writing, the following projects had a combined TVL of $3.79+ billion with 1.25+ million unique users. We learned something new with each engagement, and were able to tailor our strategy to best serve their vision.

For example, [Blast](https://blast.io/en) needed to launch quickly without compromising on security. Our approach included a comprehensive node and contract review, followed by a [$1.2M code review competition](https://cantina.xyz/competitions/c90131b4-5c7c-4ebc-a1f3-8002d219bfe0). This strategy allowed Blast—already renown for their velocity as a team—to move fast (even for them) while still ensuring a high level of security. The result was something just shy of a miracle, and we were privileged to play an important role in their on-time and safe launch.

[Optimism](https://www.optimism.io/) took a more layered approach to security. They engaged us for [multiple Spearbit reviews](https://github.com/spearbit/portfolio/blob/master/pdfs/OptimismDrippie-Spearbit-Security-Review.pdf), a vCISO consultation, [a Cantina review](https://cantina.xyz/portfolio/c185d7eb-d80b-49d4-8141-44e122c6fee4), and [a code review competition](https://cantina.xyz/competitions/d47f8096-8858-437d-a9f5-2fe85ac9b95e). This thorough strategy gave Optimism a robust security position vetted from multiple angles.

To date, it’s [Base](https://www.base.org/) who has set the new bar with a staggering 19 total engagements, [including multiple reviews](https://github.com/spearbit/portfolio/blob/master/pdfs/Base-Spearbit-Security-Review-August-2024.pdf) and our first "unofficial" Cantina competition. Their commitment to security was locked in by the mere depth and breadth of their approach.

[Berachain](https://www.berachain.com/), a newer player in the space, has also taken a comprehensive approach to securing both their infrastructure and smart contract layers with five ongoing reviews—one targeting their beacon kit for nodes and four targeting their Solidity contracts. Fellow newcomer [Bitcorn](https://bitcorn.com/) also engaged with us on a two-fold vCISO consultation and Spearbit review.

These varied approaches highlight the fact that there's no one-size-fits-all solution in L1/L2 security. Each project must refine its security strategy based on its unique architecture, development stage, and specific challenges.

### **The L1/L2 Security Playbook**

While every project is absolutely unique, our experiences have uncovered some key recurring elements that we feel should be part of every L1/L2 security strategy during development.

 ![L2 Playbook V1.png](https://imagedelivery.net/wtv4_V7VzVsxpAFaxzmpbw/6749bb5e-b513-4237-c335-c6fd4dde6a00/public) 

There's truly no one-size-fits-all approach to security. Your strategy should be as unique as your project, taking into account your specific architecture, use cases, and potential vulnerabilities.

### **Roads? Where We’re Going We Don’t Need Roads**

As L1 and L2 solutions continue to smash the boundaries of what's possible in blockchain, so security must evolve to meet the need. By learning from industry innovators and the success achieved in a custom, layered approach, we can build a more secure future for everyone in the ecosystem.

In the world of L1/L2 security, we're going beyond merely protecting assets—we're safeguarding the future of decentralized technology. And since there is no clear road ahead, our approaches to security must remain adaptable by design. Stay vigilant, stay in-the-know and keep your eyes on the road ahead—with a powerful security strategy, of course.

Want to learn how we can adapt Cantina's security solutions to your protocol's needs? Reach out to our team [here](https://cantina.xyz/contact).

Securing the Future: A Comprehensive Approach to L1/L2 Security