Aztec Connect $2.19M ZK-Rollup theft: bypass of settlement boundary cause state mismatch between L1 and L2

Published: 2026-06-15 16:01:42 |

For 14 June 2026, one deprecated Aztec Connect RollupProcessor contract get exploit through one ZK-rollup settlement boundary bypass. The attacker create space between numRealTxs and decoded_slots, so e fit commit 31 out of 32 ZK public-input slots without L1 settlement verification. Aztec Connect RollupProcessorV3 dey rely on assumption say each public-input slot must either dey verified for L1 layer or the ZK circuit go limit am (publicValue == 0). The reported bug break this logic because e make the L1 settlement loop process fewer slots than the ZK proof commitment range, open door for "unsupported" minting for L2. Attack details (single atomic transaction): - Attacker EOA: 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 - Exploit tx: 0x074ec931…aee1 - Mint phase: 7 processRollup calls (Rollup #13277–13283) create inflated L2 balances. - Withdrawal phase: 7 processRollup calls (Rollup #13284–13290) cash out those inflated L2 balances back to L1 assets. - Reported net theft: about $2.19 million from the RollupProcessor’s L1 pool. Reported cash-out assets include DAI (270,513.054), wstETH (167.890), yvDAI (4,873.857), yvWETH (16.570), LUSD (9,273.734), yvLUSD (359.047), and ETH (908.987). Tracing: as of 2026-06-15, all stolen funds don transfer go attacker EOA and dem still dey intact, the intermediate contract no get any funds left. For traders, this na reminder say ZK-rollup security depend on strict L1/L2 boundary consistency. Aztec Connect related risk fit make people look closer at rollup settlement logic and old contract exposure.

Neutral

Dis report dey point to one very specific ZK-rollup settlement-boundary logic wahala wey make like ~$2.19M chop, but e no mean say na wide, systemic failure dey across whole market. Di most direct market relevance na how people go price risk around rollup settlement verification and exposure wey dey for legacy contracts. Short term, tins like dis dey usually hit sentiment for di affected ecosystem (traders fit reduce exposure to related rollup/layer-2 stories till dem confirm say dem don fix am). Similar past patterns—wey state-derivation or boundary-check bugs cause “proof verified but settlement not validated”—tend to cause temporary volatility for L2-related tokens and for on-chain activity metrics. Long term, di clearer takeaway for traders be say security reviews wey focus on L1/L2 boundary consistency, calldata decoding trust boundaries, and independent verification of ZK public inputs fit become selection filter. That one fit help better rebound for systems wey well-audited, while e go still leave reputational overhang for projects wey get deprecated or legacy holdings. Overall, because di event dey localized to one specific contract and e no automatically mean wider rollup protocol-level consensus risk, di expected market impact better classify as neutral rather than broadly bullish or bearish.