A tiny validation flaw, a $2.19M drain – What went wrong at Aztec Network?

The Router contract of Aztec Network is in the news after being the subject of a suspicious transaction that was discovered on the Ethereum [ETH] blockchain. This led to the loss of assets valued at about $2.19 million. In fact, the wallet address “0x0f18….edd17” used money from the protocol’s Router contract to carry out the transaction. The attack was suspicious According to CertiK, the attack was “suspicious” because the attacker might have taken advantage of a weakness in the smart contract, obtained unauthorized access to protocol funds, or altered the logic of the contract to siphon off assets. A possible smart contract validation flaw However, some cues did suggest that the protocol’s handling of proof data was flawed in the smart contract validation process. The problem specifically seemed to be with the function computeRootHashes(), which oversaw confirming the legitimacy of the supplied _proofData but only examined the first part of it. Nevertheless, the middle portion of the same _proofData payload contained the data that processDepositsAndWithdrawals() subsequently used to carry out token transfers. Therefore, an attacker might have created a malicious proof in which the unverified middle section contained manipulated deposit or withdrawal instructions, while the verified portion remained valid and passed the protocol’s security checks. For its part, the contract ended up carrying out unauthorized token transfers as a result of those instructions not being properly authenticated before processing. Simply put, there appeared to be a discrepancy between what was verified and what was actually executed. More such incidents The timing here is interesting because Raydium also found a coding error in its old AMM V3 program that caused $1.34 million worth of cryptocurrencies to be stolen from five pools. Meanwhile, another governance takeover attack saw an exploiter steal about $1.5 million in Ethereum from a Balancer liquidity pool. A new exploit that targeted Ethereum’s Alephium TokenBridge was also found recently. In this exploit, $815,000 was drained in seven minutes using three of the four compromised guardian keys that signed forged VAAs (Verified Action Approvals). Similarly, according to an independent Quantstamp investigation, Humanity Protocol linked a targeted phishing attack against one of its directors to the attacker’s acquisition of administrative credentials, upgrades to contracts, transfers of Ethereum tokens, and creation of new H tokens on the BNB Chain. Overall, the Total Value Hacked (USD) has now reached $81.73 million in 30 days, according to DeFiLlama data. With $634.85 million lost in 2026 alone, April has seen the highest value drained so far. Source: DeFiLlama Final Summary The flaw seems to have been caused by _proofData’s incomplete verification. The episode is the most recent in a string of DeFi security lapses.