🚨SlowMist TI Alert🚨
@aztecnetwork has been exploited again.
💸 Loss: 1,158 ETH+150,000 DAI+0.4696 renBTC (~$2,209,704.23 USD)
🔍 Root Cause: The `RollupProcessor.escapeHatch()` function (`0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba`) lacks access control: no `onlyOwner`, no `rollupProviders` authorization, and no provider signature verification. When `rollupSize == 0`, the TurboVerifier accepts an escape hatch proof, and `processDepositsAndWithdrawals()` directly trusts the `proofData` public inputs (`publicOutput`, `outputOwner`, `assetId`) without independent validation of fund ownership or withdrawal balance, executing `withdraw(1158 ETH, attacker, 0)`.
📌 Attacker EOA: `0x6952d9246e9afe8b887b2877225163436f78e97f`
📌 Victim Contract: `RollupProcessor` at `0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba`
📌 Verifier Contract: `TurboVerifier` at `0x48cb7ba00d087541dc8e2b3738f80fdd1fee8ce8`
Impact: Attacker drained 1,158 ETH from the `RollupProcessor` by submitting a valid escape hatch proof with spoofed public inputs, exploiting validation in the escape hatch withdrawal path.
Powered by #
SlowMist#.AI