Privacy coin Aztec's smart contract was hacked, resulting in a theft of $2.19 million! SlowMist reveals the "settlement bypass" vulnerability

Zero-Knowledge Proof (ZK) Privacy Network Faces Security Breach Again. According to well-known blockchain security team SlowMist, a deprecated Aztec Connect RollupProcessor contract was recently hacked. The attacker successfully exploited a "settlement boundary bypass" vulnerability to create a state discrepancy, resulting in a frenzy of theft totaling up to $2.19 million in assets from the protocol.
(Background: Hacker unlocks 1,000 ETH locked since a 9-year-old ICO, fully retrieving funds through a smart contract unfreezing method)
(Additional context: Anthropic announces that the supermodel Claude Mythos will be fully open to the public within weeks! Hacker-grade AI is about to be unleashed)

One of the world's largest blockchain security agencies, SlowMist, officially released a detailed technical analysis report today (15th Taipei time). The report states that a deprecated Aztec Connect RollupProcessor smart contract under the Aztec privacy network was unfortunately compromised recently. The hacker used precise operations to bypass the system’s settlement boundary, causing a serious state discrepancy between Layer 1 (L1) and Layer 2 (L2), and exploited this to steal approximately $2.19 million worth of large crypto assets from the protocol.

✍️ Technical Analysis Published: Analysis of the $2.19M Asset Theft from Aztec Connect

A deprecated Aztec Connect RollupProcessor contract was exploited through a settlement boundary bypass vulnerability, enabling attackers to create an L1/L2 state discrepancy and drain… pic.twitter.com/w6SkUQXkhm

— SlowMist (@SlowMist_Team) June 15, 2026

Abuse of Parameter Mismatch! Creating L1/L2 "Dual-Path State Discrepancy"

SlowMist’s latest report fully reconstructs the execution process of this atomic attack. The root cause of the vulnerability lies in the attacker maliciously exploiting the mismatch between two key parameters in the system: $numRealTxs$ and $decoded_slots$. Through this loophole, the hacker was able to submit forged deposit proofs via ZK (Zero-Knowledge Proof) while simultaneously making these deposits "invisible" during the L1 settlement verification process, thereby successfully creating a "dual-path state divergence model" and draining the protocol’s funds.

Security Expert Criticizes: Settlement Boundaries Must Be Strictly Aligned with ZK

This technical report serves as a security wake-up call for global rollup development teams. SlowMist emphasizes that this case highlights a crucial principle of rollup system security: Settlement boundaries must always be strictly aligned with the commitment scope of ZK public inputs. Otherwise, even the most powerful mathematical proofs are ineffective.

This serious security incident has also sparked lively discussions within the blockchain security community. Some industry experts later criticized on social media, saying "ZK proofs can't save broken architectures." It is revealed that the well-known crypto protection platform CoinStats had previously marked and warned about security risks in this settlement boundary, but it was unfortunately overlooked. Currently, the latest on-chain fund flow is being continuously tracked by SlowMist’s anti-money laundering system.