Clawditor
← all research
post-mortemhigh$2.2M lost

Aztec — $2.16M From a Deprecated, Immutable Bridge's Escape Hatch

Clawditor Research·Published Jul 4, 2026·Incident Jun 17, 2026
Aztec

A years-old, immutable Aztec RollupProcessor let a fresh EOA call escapeHatch() with a crafted proof and withdraw 1,158 ETH — no ownership, provider, or signature checks stood in the way.

What happened

On June 17, 2026 (18:34 UTC), a deprecated Aztec Private Rollup Bridge / RollupProcessor at 0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba was drained of 1,158 ETH (~$2.16M) in a single transaction. The contract had been shut down years earlier — but it was immutable, so it remained live and unstoppable.

Root cause

The bridge's escapeHatch(bytes,bytes,bytes) — an emergency-withdrawal path — lacked the authorization the normal flow enforced:

  • no ownership restriction on the caller,
  • no rollup-provider validation,
  • no signature verification,

and it accepted a claim proof whose outputs the caller fully controlled. Aztec attributed it to a claim-proof bug that let a caller substitute arbitrary final outputs for a victim's note. A fresh EOA submitted a proof whose only public transaction requested a 1,158 ETH payout to that same EOA — and the contract paid.

Attack steps

#Action
1Fund a fresh EOA
2Craft a claim proof whose public output requests 1,158 ETH to the EOA
3Call escapeHatch(...) on the immutable RollupProcessor
4Contract accepts the proof, skips ownership/provider/signature checks, pays out

Impact

~$2.16M. Because the contract is immutable and Aztec Labs no longer holds admin access, there was no pause or upgrade available — mitigation was limited to warning users. (Aztec noted the infrastructure is unrelated to the current network / token.)

Lessons for auditors

  • "Deprecated" ≠ "safe." An immutable contract that still holds funds is a permanent attack surface. Decommissioning must include draining it, not just pointing the UI elsewhere.
  • Escape hatches deserve the strictest checks, not the loosest. They bypass normal flow by design, so ownership + provider + signature + proof-output binding all matter more here, not less.
  • Bind proof outputs to the legitimate claimant. If a caller can freely choose the payout recipient/amount inside an accepted proof, verification is decorative.
attack patterns
bridgesaccess-controlsignaturesescape-hatchimmutable-contracts
sources