Aztec Network’s router contract is in the news after being the subject of a suspicious transaction discovered on the Ethereum (ETH) blockchain. This resulted in the loss of assets valued at approximately $2.19 million.
In fact, the wallet address “0x0f18….edd17” used money from the protocol’s router contract to complete the transaction.
According to CertiK, the attack was “suspicious” because the attacker could have taken advantage of a weakness in the smart contract, gained unauthorized access to protocol funds, or modified contract logic to siphon assets.
A possible smart contract validation flaw
However, there are indications that the protocol’s handling of proof data was flawed in the smart contract validation process. The problem seemed to specifically come from the function calculateRootHashes()who oversaw the confirmation of the legitimacy of the information provided _proofData but I have only examined the first part of it.
However, the middle part of the same _proofData the payload contained the data that processDepositsAndWithdrawals() then used to perform token transfers.
Therefore, an attacker could have created a malicious proof in which the unverified middle section contained manipulated deposit or withdrawal instructions, while the verified part remained valid and passed the protocol’s security checks.
In turn, the contract ended up making unauthorized token transfers because these instructions were not properly authenticated before processing. Simply put, there appears to be a gap between what was verified and what was actually executed.
Other incidents of this type
The timing here is interesting because Raydium also found a coding error in its old AMM V3 program that caused $1.34 million worth of cryptocurrencies to be stolen from five pools.
Meanwhile, another governance takeover attack saw an exploiter steal around $1.5 million in Ethereum from a Balancer liquidity pool.
A new exploit targeting Ethereum’s Alephium TokenBridge was also discovered recently. In this exploit, $815,000 was drained in seven minutes using three of four compromised guardian keys that signed fake VAAs (Verified Action Approvals).
Similarly, according to an independent investigation by Quantstamp, Humanity Protocol linked a targeted phishing attack against one of its principals to the attacker’s acquisition of administrative credentials, contract upgrades, transfers of Ethereum tokens, and the creation of new H tokens on the BNB chain.
Overall, the total value hacked (USD) has now reached $81.73 million in 30 days, according to data from DeFiLlama. With $634.85 million lost in 2026 alone, April saw the highest value drained so far.
Final summary
- The flaw appears to have been caused by an incomplete verification of _proofData.
- This episode is the most recent in a series of DeFi security breaches.
