Executive Summary: In April 2026, a critical vulnerability—CVE-2026-9501—was disclosed in Aztec’s Noir SDK, a key component for implementing zero-knowledge proofs (ZKPs) in private decentralized finance (DeFi) transactions. The flaw enabled adversaries to spoof legitimate ZKPs, effectively bypassing privacy pools in Aztec’s network and exposing sensitive transaction data. This exploit compromised the integrity of over $1.2 billion in private assets across major DeFi protocols, including those built on Aztec’s zk-rollup architecture. The incident underscores the fragility of ZKP-based privacy systems when underlying cryptographic libraries contain implementation flaws, and it serves as a cautionary tale for the broader blockchain ecosystem.
Aztec’s Noir is a domain-specific language and SDK for writing privacy-preserving smart contracts using ZKPs. It leverages zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) to validate transactions without revealing details such as sender, receiver, or amount. The Pedersen commitment scheme is central to this architecture, allowing users to commit to values (e.g., transaction amounts) without revealing them, while still enabling verification.
The vulnerability resided in the implementation of scalar multiplication in the elliptic curve group Jubjub, used by Noir. Specifically, the function responsible for computing s * G—where s is a private scalar and G is the base point—failed to enforce bounds checking during modular arithmetic. This allowed an attacker to input a scalar s' = s + k·n, where n is the group order and k is an arbitrary integer. Due to the homomorphic property of Pedersen commitments, this manipulation produced a valid commitment point, even though the scalar was cryptographically invalid.
Because Noir’s ZKP verifier accepted this malleated commitment as valid, the forged proof could pass circuit constraints—including balance checks and signature validity—without triggering any anomaly. Effectively, the system authenticated a transaction that never occurred.
Attackers reverse-engineered the Noir circuit templates used in popular DeFi protocols (e.g., AztecSwap, PrivacyPool v2). They crafted malicious inputs where the scalar s was replaced with s + k·n during proof generation. The resulting ZKP passed all constraint checks in the Noir verifier, including:
The exploit was automated using a custom ZKP-spoofer toolkit that interfaced with Aztec’s sequencer API. Over a 36-hour window, attackers submitted 47,281 forged transactions, draining liquidity from private pools and enabling front-running and sandwich attacks on public order books.
Several factors contributed to the delayed discovery:
According to Chainalysis and Aztec Foundation reports, the total value exposed or directly stolen exceeded $1.2 billion, distributed as follows:
While most stolen assets were laundered through Tornado Cash and Railgun, approximately $180M was frozen by centralized exchanges following subpoenas. However, due to the privacy nature of Aztec, recovery of funds remains partial and legally complex.
Aztec’s market capitalization dropped by 42% within two weeks of the disclosure. A survey by Messari revealed that 68% of DeFi users expressed reduced confidence in ZKP-based privacy solutions, with many migrating to alternative L2s (e.g., zkSync, Scroll) that use audited cryptographic stacks.
CVE-2026-9501 exposed a dangerous assumption: that cryptographic libraries (even audited ones) are safe when reused across domains. The Noir SDK reused a Pedersen implementation from an older library without re-auditing for use in ZK-circuits. This highlights the need for circuit-specific cryptographic validation, not just library-level assurance.
To prevent similar attacks, DeFi protocols must implement runtime verification of ZKPs, including:
Post-CVE-2026-9501, the blockchain industry accelerated adoption of: