BlockSec Phalcon released an updated analysis of an Aztec vulnerability, attributing the root cause to how RollupProcessorV3 handled transaction binding rather than missing access control. According to Foresight News, the issue stemmed from numRealTxs not being effectively bound to the transaction set enforced by the ZK proof.
BlockSec said the proof verification path decoded all transactions in encodedInnerTxData and inserted them into the rollup Merkle tree, while the Layer 1 settlement logic processed only the first numRealTxs decoded slots. An attacker exploited this mismatch by placing real deposit transactions in later slots and setting numRealTxs to a smaller value, bypassing checks such as decreasePendingDepositBalance().
The analysis said this allowed the attacker to create unbacked asset balances and withdraw them through the standard withdrawal process. The attacker reportedly created unbacked balances across multiple assets in a single transaction before withdrawing.
BlockSec also noted that although Aztec Connect stopped operating on 2024-03-31, the RollupProcessorV3 contract still underwent an upgrade on 4-10 without an external audit.
BlockSec Phalcon Details Aztec Vulnerability Tied to RollupProcessorV3 Transaction Binding
2026-06-15 05:12:52
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.
Previous article:
地缘政治 | 霍尔木兹海峡已实质关闭逾三个月
