Best crypto insights delivered straight to your inbox.
- A fresh $2 million exploit hit Aztec days after a separate $2.19 million breach
- The latest Aztec attack exploited a retired rollup product whose administrative controls were renounced years ago, leaving no mechanism for emergency intervention.
- The attack adds to a series of exploits to have targeted deprecated contracts in recent days.
Attackers have taken around $2 million from a deprecated Aztec payments product on June 17, coming just a few days after $2.19 million was lost in a separate exploit that targeted the project’s retired Aztec Connect bridge.
The back-to-back incidents add to a growing pattern of hackers attacking abandoned smart contracts that hold user funds but have no team capable of patching them.
How were deprecated Aztec smart contracts exploited?
Security researcher Cos flagged three suspicious transactions from Aztec’s private rollup bridge contract on June 18. These transactions were 1,158 ETH, 150,000 DAI, and 0.47 renBTC, which summed up to approximately $2.15 million according to Cos’s post on X.
The targeted contract that Cos highlighted is not the same one that was breached on June 14.
Security researcher, thisvishalsingh, confirmed on X that the Private Rollup Bridge drain “is a separate incident from the $2.1M drain on the deprecated Aztec Connect contract a few days ago.”
Aztec Labs said on X it was “investigating a potential exploit affecting a deprecated Aztec payments product from 2021,” describing the contract as “an immutable stage 2 rollup that was sunset in 2022.”
The Aztec Foundation stated that “the product was deprecated 4 years ago and Aztec Labs retains no controls over the system.”
The June 14 attack, which Aztec Labs documented in a post-mortem, exploited a flaw in how Aztec Connect’s proof verification system and its on-chain settlement code read the same batch of transactions. The proof system checked rows in groups of 32, while the settlement code only processed however many the batch declared as “real.”
Through 14 crafted rollup submissions packed into a single transaction, the attacker removed approximately 909 ETH, 270,513 DAI, 168 wstETH, and several Yearn vault tokens, totaling around $2.19 million, according to Aztec Labs.
A follow-up attack on June 15 used the same technique on leftover DeFi bridge positions and carted away $88,000.
Aztec Connect was a privacy-preserving zk-rollup that was launched in 2022 and deprecated in 2023.
In April 2024, Aztec Labs renounced all administrative roles and upgrade authority on-chain after a year of urging users to withdraw. It did this to allow the other users who still had funds there to exit without the team getting involved.
However, it also meant that the Aztec team had no access to deploy any fix should any vulnerability get detected.
Blockchain security firm Blockaid reported that its monitoring platform detected the attacker’s preparation activity about six minutes before the draining transaction executed on June 14.
Why are deprecated protocols under attack?
The Aztec incidents are not isolated. On June 15, DeFi options protocol Thetanuts Finance confirmed a $2.1 million exploit targeting a legacy vault it had migrated away from years earlier. That attack exploited a flaw in the vault’s redemption logic, according to security researcher ExVul.
Blockful.eth highlighted the trend on X, writing, “In the last days, we had 2 exploits exposing a risk that few remember exists in DeFi: old contracts with millions of dollars sitting idle.”
For protocols that renounce admin keys in the name of decentralization, the tradeoff may be looking bad in retrospect now, as it seems attackers have set their sights on them.
June exploit losses across DeFi have already crossed $43 million at the month’s midpoint, per DefiLlama, and deprecated contracts appear to be a growing share of the target surface.
The smartest crypto minds already read our newsletter. Want in? Join them.
FAQs
How much was stolen from Aztec in total across both incidents?
The first attack on Aztec Connect on June 14 drained approximately $2.19 million, with a follow-up extracting $88,000 the next day, according to Aztec Labs' post-mortem. The second, separate exploit on June 17 targeted the Private Rollup Bridge for roughly $2 million.
Does this affect the current Aztec network or the AZTEC token?
No. Both Aztec Labs and the Aztec Foundation confirmed that the exploited contracts have no connection to the AZTEC ERC-20 token or any smart contracts related to the current Aztec network.
Why can't the vulnerability be fixed?
Aztec Labs renounced all administrative roles and upgrade authority over the Aztec Connect contracts in April 2024, making them fully immutable, according to the team's post-mortem. The deprecated payments product targeted in the second exploit was also described as an immutable contract by Aztec Labs.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)