$3.8M drained from Umbrella Network in February 2022 because the attacker understood how on-chain conditions worked better than the protocol's own team did. The exploit wasn't exotic. It was a price manipulation attack made possible by low liquidity — the exact kind of liquidity environment that's normal on L2s and sidechains at launch. The team built for Ethereum mainnet economics. They deployed somewhere with different rules. That gap cost them everything.

This is the central problem with deploying to Polygon, Arbitrum, Optimism, Base, or any other L2/sidechain: the EVM is largely the same, so developers assume the security model is too. It's not. And auditors who don't understand the specific execution environment they're reviewing will miss the issues that matter most.

Here's What Actually Happens When You Deploy to an L2

The EVM compatibility is real. Your Solidity compiles. Your tests pass. Your mainnet fork works fine. What changes is everything underneath — block timing, gas economics, sequencer behavior, bridging trust assumptions, and oracle reliability. These aren't edge cases. They're load-bearing parts of your security model that work differently depending on where you deploy.