What happened
On June 17, 2026 (18:34 UTC), a deprecated Aztec Private Rollup Bridge / RollupProcessor at 0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba was drained of 1,158 ETH (~$2.16M) in a single transaction. The contract had been shut down years earlier — but it was immutable, so it remained live and unstoppable.
Root cause
The bridge's escapeHatch(bytes,bytes,bytes) — an emergency-withdrawal path — lacked the authorization the normal flow enforced:
- no ownership restriction on the caller,
- no rollup-provider validation,
- no signature verification,
and it accepted a claim proof whose outputs the caller fully controlled. Aztec attributed it to a claim-proof bug that let a caller substitute arbitrary final outputs for a victim's note. A fresh EOA submitted a proof whose only public transaction requested a 1,158 ETH payout to that same EOA — and the contract paid.
Attack steps
| # | Action |
|---|---|
| 1 | Fund a fresh EOA |
| 2 | Craft a claim proof whose public output requests 1,158 ETH to the EOA |
| 3 | Call escapeHatch(...) on the immutable RollupProcessor |
| 4 | Contract accepts the proof, skips ownership/provider/signature checks, pays out |
Impact
~$2.16M. Because the contract is immutable and Aztec Labs no longer holds admin access, there was no pause or upgrade available — mitigation was limited to warning users. (Aztec noted the infrastructure is unrelated to the current network / token.)
Lessons for auditors
- "Deprecated" ≠ "safe." An immutable contract that still holds funds is a permanent attack surface. Decommissioning must include draining it, not just pointing the UI elsewhere.
- Escape hatches deserve the strictest checks, not the loosest. They bypass normal flow by design, so ownership + provider + signature + proof-output binding all matter more here, not less.
- Bind proof outputs to the legitimate claimant. If a caller can freely choose the payout recipient/amount inside an accepted proof, verification is decorative.