SlowMist: Aztec Connect contract stolen for $2.19 million due to ZK-Rollup L1/L2 state boundary vulnerability
Foresight News reports, according to SlowMist analysis, on June 14, Aztec Connect’s abandoned contract was attacked, resulting in a loss of approximately 2.19 million US dollars. The root cause was a boundary gap between the traversal range of the L1 settlement loop in the RollupProcessorV3 contract and the commitment range of the ZK public input hash. The attacker exploited the gap between numRealTxs and decoded_slots, allowing 31 empty slots to be submitted to the L2 state root through ZK proof, bypassing L1 contract layer verification. This enabled arbitrary asset minting on L2 and withdrawal to L1.
The entire attack was completed in a single atomic transaction and took place in two phases: 7 minting operations and 7 withdrawal operations, stealing various assets including DAI, wstETH, ETH, and others. Currently, all stolen funds remain at the attacker’s address and have not yet been moved. Although Aztec Connect was abandoned in March 2024, the contract remains immutable and still holds user legacy assets.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
The Baltic Dry Index falls to a nearly one-month low
Citi raises Applied Materials' target price to $710
Trending news
MoreCrypto prices
More
