Aztec Network Suffers Attack Resulting in Over $2.15 Million in Losses, Root Cause Identified as a Mismatch Between ZK Proof and L1 Settlement Boundaries

According to an analysis by BlockSec Phalcon (@Phalcon_xyz), the Aztec Network's RollupProcessorV3 contract was attacked, resulting in losses exceeding $2.15 million. The root cause is that `numRealTxs` was not effectively bound to the transaction set enforced by the ZK proof, causing a discrepancy between the proof verification path and the L1 settlement logic's interpretation of the transaction list.

The attacker exploited this vulnerability to move legitimate deposits to slots not processed by the settlement logic, bypassing the `decreasePendingDepositBalance()` function. They then created unbacked private balances from scratch and withdrew them through the normal settlement process, involving a total of seven assets.