According to Foresight News , BlockSec Phalcon has released an updated analysis of the Aztec vulnerability incident. Further investigation revealed that the root cause was not a lack of access control, but rather that numRealTxs in RollupProcessorV3 was not effectively bound to the transaction set enforced by ZooKeeper proofs.
Specifically, the proof verification path decodes all transactions in `encodedInnerTxData` and inserts them into the rollup Merkle tree, while the L1 settlement logic only processes the first `numRealTxs` decoded slots. An attacker exploited this inconsistency, placing genuine deposit transactions in later slots and setting `numRealTxs` to a smaller value, thus bypassing checks like `decreasePendingDepositBalance()` to create unendorsed asset balances and successfully withdraw them. In the attack transaction, the attacker created unendorsed balances on multiple assets at once and then withdrew them through the normal withdrawal process. Furthermore, although Aztec Connect ceased operation on March 31, 2024, the RollupProcessorV3 contract underwent an unaudited upgrade on April 10.
