Best crypto insights delivered straight to your inbox.
Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit
- The Aztec Connect attack was due to an incomplete proof-verification bug that allowed fraudulent withdrawals to bypass validation checks.
- Because Aztec Connect was fully decentralized and abandoned years ago, the vulnerability cannot be patched, and the protocol cannot be paused.
- Aztec Labs and the Aztec Foundation stressed that the exploit does not affect the current Aztec network or the AZTEC token.
Aztec Connect’s smart contract has reportedly lost $2.1 million after an attacker took advantage of a verification flaw in the privacy bridge that was shut down three years ago. This attack also comes with a twist, as the flaw sits beyond anyone’s ability to patch per the Aztec Labs team.
The stolen funds included approximately 909 ETH, 270,000 DAI, and 167 wstETH, according to blockchain security firm BlockSec, which flagged the suspicious transaction through its Phalcon monitoring system.Â
Before it was deprecated by Aztec Labs in March 2023, Aztec Connect was a zk-rollup bridge that let users interact with DeFi protocols like Aave and Lido while shielding transaction details through zero-knowledge proofs. Aztec Labs stopped running its sequencer by March 2024.
The AZTEC token is up more than 5% as of the time of Cryptoplitan’s report.
What was the flaw that enabled the attacker to exploit Aztec Connect?Â
The flaw was due to a mismatch involving the boundary between the verified transaction set and L1 settlement processing per BlockSec Phalcon’s analysis on X.
According to security firm CertiK, the flaw was an incomplete validation of submitted proof data.
 One contract function checked only the beginning of the proof while token transfer instructions embedded elsewhere went unverified, and this was what allowed the attacker to manipulate withdrawals.
What is Aztec Labs’ response to the exploit?
Aztec Labs confirmed it was investigating but said it has no mechanism to intervene. “Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us,” the team wrote on X.
In a separate statement, the Aztec Foundation posted on X, stating that the foundation stressed that the incident has no connection to any smart contracts tied to the AZTEC ERC-20 token or the current Aztec network, which focuses on private smart contracts.Â
“Aztec Connect was deprecated 3 years ago and Aztec Labs retains no controls over the system,” Aztec Foundation wrote.
When Aztec Labs wound down the bridge, it renounced admin keys to the contracts given the fact that it was a privacy-focused protocol. However, the tradeoff is that once the keys are gone, nobody can deploy a fix when a vulnerability surfaces.
What is the cost of the exploit?
Aztec Connect contracts held about $2.15 million in total value locked before the attack, according to DefiLlama data, and those were the funds that the exploiter was able to access.
The funds were unmonitored, and the team did nothing about them, as any assets left inside them depend entirely on the original code’s integrity.Â
Aztec Connect’s exploit also brings to the fore the recurring risk for users who leave their funds in legacy contracts after a project migrates.
June exploits continue to mount
It is already halfway into the month of June, and with exploits picking up, crypto protocols do not seem to catch a break. May was also punctuated with various exploits, and recently deprecated platforms are seeing increased attacks
Cryptopolitan has previously reported on exploits hitting Gnosis Pay and TesseraDAO in the first days of June, with TesseraDAO alone losing $2.5 million in a mint-and-dump attack on BNB Chain.Â
Per DeFiLlama data, June exploits have already reached approximately $43.93 million in cumulative losses as of mid-month.
The smartest crypto minds already read our newsletter. Want in? Join them.
FAQs
What is Aztec Connect and why was it exploited?
Aztec Connect was a zk-rollup bridge on Ethereum that provided privacy for DeFi transactions. It was deprecated in March 2023, and since the team renounced admin keys, a verification flaw in its immutable smart contract could not be patched, allowing an attacker to drain approximately $2.1 million on June 14, 2026.
Does the Aztec Connect exploit affect the AZTEC token or current Aztec network?
No. Both Aztec Labs and the Aztec Foundation confirmed that the exploited contracts have no connection to the AZTEC ERC-20 token or any smart contracts related to the current Aztec network.
How did the attacker exploit the contract?
According to BlockSec's analysis, the root cause was a mismatch between the contract's rollup transaction verification and its L1 settlement processing logic, which allowed the attacker to trick the contract into releasing funds it should not have.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)