Aztec Network Attacked, Losses Exceed $2.15 Million; Root Cause is a Mismatch Between ZK Proof and L1 Settlement Boundaries

According to analysis by BlockSec Phalcon (@Phalcon_xyz), Aztec Network's RollupProcessorV3 contract was attacked, resulting in losses exceeding $2.15 million. The root cause is that `numRealTxs` was not effectively bound to the transaction set enforced by the ZK proof, causing a deviation between the proof verification path and the L1 settlement logic's interpretation of the transaction list.

The attacker exploited this vulnerability to move real deposits to slots not processed by the settlement logic, bypassing the `decreasePendingDepositBalance()` function. By creating unbacked private balances out of thin air, they were able to withdraw funds through the normal settlement process. A total of seven assets were involved.