SlowMist (@SlowMist_Team) “🚨SlowMist TI Alert🚨 @aztecnetwork has been exploited again. 💸 Loss: 1,158 ETH” — TopicDigg

🚨SlowMist TI Alert🚨 @aztecnetwork has been exploited again. 💸 Loss: 1,158 ETH+150,000 DAI+0.4696 renBTC (~$2,209,704.23 USD) 🔍 Root Cause: The `RollupProcessor.escapeHatch()` function (`0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba`) lacks access control: no `onlyOwner`, no `rollupProviders` authorization, and no provider signature verification. When `rollupSize == 0`, the TurboVerifier accepts an escape hatch proof, and `processDepositsAndWithdrawals()` directly trusts the `proofData` public inputs (`publicOutput`, `outputOwner`, `assetId`) without independent validation of fund ownership or withdrawal balance, executing `withdraw(1158 ETH, attacker, 0)`. 📌 Attacker EOA: `0x6952d9246e9afe8b887b2877225163436f78e97f` 📌 Victim Contract: `RollupProcessor` at `0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba` 📌 Verifier Contract: `TurboVerifier` at `0x48cb7ba00d087541dc8e2b3738f80fdd1fee8ce8` Impact: Attacker drained 1,158 ETH from the `RollupProcessor` by submitting a valid escape hatch proof with spoofed public inputs, exploiting validation in the escape hatch withdrawal path. Powered by #SlowMist#.AI