Deprecated Aztec Connect RollupProcessorV3 contract drained via ZK-rollup settlement boundary mismatch
On June 14, 2026, an attacker exploited the deprecated Aztec Connect RollupProcessorV3 contract (0xFF1F2B4ADb9dF6FC8eAFecDcbF96A2B351680455) in a single atomic transaction. The attacker constructed a boundary gap between numRealTxs and decoded_slots in the processRollup() function. The ZK proof verification path decoded every transaction in a batch and committed it to the rollup's record, while the Layer 1 settlement path only processed a subset set by numRealTxs. The attacker crafted a rollup that placed legitimate-looking deposit slots late in the batch while keeping numRealTxs artificially low, allowing the contract to credit balances that were never backed by real deposits, then withdrew them. The attack used 14 batched rollup IDs (13277-13290) in a single transaction, extracting approximately $2.19 million in assets. Aztec Connect had been deprecated in March 2023 and the contracts were fully immutable with no admin keys.
The attacker funded a fresh Ethereum wallet (0x0F18D8b44a740272f0be4d08338d2b165b7EdD17) through Tornado Cash, then deployed helper contracts minutes before the attack. The final helper contract (0x06f585F74e0DA633Ae813A0f23Fb9900B61d0fcD) executed the drain. All assets were transferred from the RollupProcessor to the attacker's EOA within a single transaction. As of June 15, 2026, 100% of stolen funds remained intact at the attacker's EOA and had not yet begun to be laundered. A second attack on June 1 extracted an additional ~$88K in residual value from rollup IDs 13291-13304.
0x074ec9317d8336db37e8c348fbdd7515573ff4088239c77ab429f522509aeeb1