Aztec Network has experienced yet another significant exploit after a hacker took advantage of a crucial weakness in the protocol’s emergency withdrawal mechanism. This resulted in the compromise of 1,158 Ethereum [ETH], 150,000 DAI, and 0.4696 renBTC.
In total, roughly $2.21 million was drained from the ‘RollupProcessor’ contract of the Aztec Network. That said, the problem started in the RollupProcessor.escapeHatch() function, which is meant to act as a backup plan that lets users get a refund in case regular rollup operations aren’t working.
However, the function was devoid of a number of important security safeguards. This included rollup provider authorization, owner-only restrictions, and signature verification. In other words, anyone could use the escape hatch pathway.
Hacker attacks Aztec Network
The attacker took advantage of a particular situation where rollupSize was set to zero, which resulted in the TurboVerifier contract of the protocol accepting an escape-hatch proof.
Following validation of the proof, the processDepositsAndWithdrawals() function carried out withdrawals using only the public inputs provided in the proof. This involved the asset identifier (assetId), recipient address (outputOwner), and withdrawal amount (publicOutput).
Importantly, there were no independent checks carried out by the contract to verify that the recipient was legally entitled to the assets or that the withdrawal request matched actual user balances.
Funds drained
Henceforth, the attacker successfully transferred 1,158 ETH, 150,000 DAI, and 0.4696 renBTC to their externally owned address. This was done by creating a convincing proof that looked legitimate and contained made-up public inputs (0x6952….8e97f).
The exploit basically resulted from a risky combination of the protocol’s excessive reliance on proof data without independently verifying ownership or balances and the absence of access controls.
As a result, even though the attacker presented what seemed to be a cryptographically valid proof, they were able to misuse the emergency withdrawal path to steal millions of dollars from the ‘RollupProcessor’.
What happened three days ago?
In fact, just three days ago, Aztec Network’s router contract lost $2.19 million due to a suspicious transaction that was found on the Ethereum blockchain.
In reality, funds from the protocol’s Router contract were utilized to complete the transaction by the wallet address “0x0f18….edd17.”
Nonetheless, there were hints that the protocol’s management of proof data in the smart contract validation procedure was deficient.
All in all, in 2026, the total hack value has reached $812.15 million thus far, with April having the highest value at $634.85 million.
Final Summary
- The Aztec Network experienced another attack in three days due to a problem originating in the RollupProcessor.escapeHatch() function.
- The wrongdoer successfully transferred 1,158 ETH, 150,000 DAI, and 0.4696 renBTC to their externally owned address.