The Router contract of Aztec Network recently experienced suspicious transactions on Ethereum, resulting in the loss of approximately $2.19 million in assets. On-chain records show that the related operations directly accessed funds from the protocol contract, prompting immediate attention from security firms.
The issue points to proofData verification
Security firm CertiK stated that this transaction exhibited clear anomalous characteristics. Preliminary analysis suggests the attacker may have exploited a validation gap in the smart contract to gain unauthorized access to the protocol’s funds or alter the contract’s execution logic to transfer assets.
Based on public analysis, the issue may lie in the computeRootHashes() function. This function is responsible for validating the provided _proofData, but the verification scope appears to cover only the first half of this data.
Intermediate data is used to execute transfers.
Subsequently, during execution, processDepositsAndWithdrawals() will continue reading the intermediate content of the same _proofData to process token transfers related to deposits and withdrawals.
This means an attacker could construct malicious proof data that allows the frontend to pass validation while inserting tampered withdrawal or transfer instructions into the partially unverified middle section. As a result, the contract executes content that differs from what was actually validated, leading to unauthorized transfers.
Recent security incidents have occurred in succession.
Prior to and following this incident, the DeFi space experienced a series of security breaches. Raydium previously disclosed that a coding error in its legacy AMM V3 program resulted in combined losses of approximately $1.34 million across five liquidity pools.
Another governance takeover attack resulted in the theft of approximately $1.5 million in Ethereum from a Balancer liquidity pool. Recently, Alephium’s TokenBridge was also exploited, with attackers using a compromised guardian key to forge VAA messages and transferring approximately $815,000 within seven minutes.
Additional information: Data from DeFiLlama shows that the total amount stolen on-chain over the past 30 days has reached $81.73 million; cumulative losses since the beginning of 2026 amount to approximately $634.85 million, with April being one of the months with the highest funds loss this year.