BlockSec

.@aztecnetwork was attacked again. Like the Sunday, June 14, 2026 exploit, this attack appears related in nature, but targeted a different pool through a different entry point, with estimated losses of roughly $2.2M. Ether: 1,158 DAI: 150K renBTC: ~0.4696 Attack TXs: app.blocksec.com/phalcon/explor… app.blocksec.com/phalcon/explor… app.blocksec.com/phalcon/explor…

Correct: after diving into the details, our analysis shows that the actual root cause of the @aztecnetwork incident was a mismatch between the verified rollup transaction set and the L1 settlement processing boundary (i.e., numRealTxs / _numTxs). In Aztec Connect’s RollupProcessorV3.processRollup(), numRealTxs was not effectively bound to the transaction set enforced by the ZK proof, allowing the proof verification path and the L1 settlement logic to interpret the transaction list differently. The proof covered all transactions decoded from encodedInnerTxData and inserted their notes into the rollup Merkle tree, while the L1 settlement logic handled only the first numRealTxs decoded slots. Because this assumption was not enforced, an attacker could place a non-actionable transaction in the scanned slot(s) and move a real deposit into a later decoded slot. In the observed exploit pattern, the attacker set numRealTxs to 1 while placing a real deposit transaction in the second decoded transaction slot. As a result, the rollup credited value internally while skipping the corresponding L1 signature validation and pending deposit balance deduction. More specifically, the second-slot deposit bypassed decreasePendingDepositBalance() and therefore did not consume the corresponding pending deposit balance. This created unbacked private balances that could later be withdrawn through normal settlement flows. In the attack transaction, the attacker first credited seven unbacked asset balances across different assets into the rollup state and then extracted those assets through seven subsequent withdrawals. As shown in the figure, we use the first DAI deposit/withdraw pair as an example. An especially notable detail is the timeline. According to Aztec’s official sunset notice, the Aztec Connect rollup would continue processing transactions and withdrawals only until March 31, 2024, after which the sequencer would stop running [1]. However, the linked materials indicate that RollupProcessorV3 was still upgraded on April 10, 2024 via PR #67 [2], and that upgrade appears not to have gone through an external audit before deployment [3]. [1] docs.aztec.network/aztec_connect_… [2] github.com/AztecProtocol/… [3] app.blocksec.com/phalcon/explor…

We’re excited to announce the Agentic Payment Whitepaper, initiated by @InterlaceMoney together with 7 ecosystem partners. This whitepaper defines a shared vision, architecture, and standards for AI‑agent‑driven payments — a critical step toward the emerging Agentic Payment Economy. 🧱 The layers & partners: 🤖 Agent Application – @XAgent_official 💳 Payment Execution – @InterlaceMoney (Initiator) 🔐 Governance & Control – @Cobo_Global 🛡️ Trust & Compliance – @BlockSecTeam 💵 Stablecoin Settlement – @Stable ⛓️ Blockchain Infrastructure – @Conflux_Network 🌊 Liquidity Orchestration & User Access – @BitgetWallet 🔗 Causal Verification – @hetu_protocol The company names above are listed in no particular order. 📄 Expected release: within the next 1–2 months. Stay tuned. #Interlace #AI #agenticpayment

AllScale是第一个正在完整继承基础KYT能力的纯自托管产品，我们在坚定构建一个无许可纯自托管的数字银行的同时，也在尽最大可能保护我们平台上的每一个商户。 AllScale Checkout的每一笔付款都会经过我们和 @BlockSecTeam 构建的链上智能KYT系统，商户也可以一键导出AllScale的Source of Funding 报告，尽最大可能减少收到不良资产后出入金在交易所资金冻结的风险。 创作了一篇文章，分享KYT是如何工作的以及我们如何保护每一个商户。欢迎指教。

ALERT! Our system detected a suspicious transaction targeting @aztecnetwork’s RollupProcessorV3 contract on #Ethereum hours ago, with estimated losses exceeding $2.15M. Initial analysis suggests the root cause might be missing access control in processRollup(). Although the function was documented to require either an authorized rollup provider or an open escape hatch, the implementation appears to enforce neither, potentially allowing arbitrary callers to submit otherwise valid rollup proofs, including withdrawal proofs. Attack Tx: app.blocksec.com/phalcon/explor… 🟦 Found by #PhalconSecurity, 🟦 Analyzed via #PhalconExplorer.

We're aware of a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. The safety of our community is our top priority, and we want to be fully transparent about what we know. As a precaution, please do NOT interact with the bridge or any liquidity pools until we give the all clear. This is the single most important step you can take to protect your funds right now. We are actively working with leading security experts and our exchange partners to assess the scope of the incident and secure all affected systems. We're deeply sorry that this has happened. Protecting this community is our responsibility, and we don't take that lightly. We will share verified updates as soon as we have them and we won't speculate before facts are confirmed. Official updates will only come from this account or @terencekwok Beware of the scammers and impersonators who exploit moments like this. We will never DM you first or ask for your seed phrase or private keys.

If your protocol is ready to get certified, these firms are accredited and taking clients now. Already working with one of them? Ask about SEAL Certifications starting today. @audit_wizard @BlockSecTeam @chain_security @Composable_Sec @ConsensysAudits @cyfrin @DefiSafety @hackenclub @HackenProof @SecurityOak @OpenZeppelin @opsek_io @Quantstamp @0xshield3 @sigp_io @statemindio @trailofbits @Wonderland @zellic_io @zeroshadow_io Announcement: radar.securityalliance.org/seal-certifica…

.@VerusCoin's Verus-Ethereum Bridge smart contract (0x715185) was reportedly attacked hours ago on #Ethereum, with estimated losses of about $11.7M, including ~1,625.4 ETH, ~103.6 tBTC, and ~148K USDC. The stolen assets were transferred to 0x65cb8b and swapped into roughly 5,402.4 ETH (valued at ~$11.4M). On-chain records show that the attacker address, 0x5abb91, was funded via Tornado Cash. The root cause remains under investigation. Attack TX: app.blocksec.com/phalcon/explor…