Aztec Connect loses $2.1m after old contract exploit

Aztec Connect, a deprecated DeFi bridge linked to the privacy-focused Aztec ecosystem, was exploited on Sunday after an attacker drained about $2.1 million from an old Ethereum smart contract.

Aztec Labs said on X that it was “investigating a potential exploit affecting Aztec Connect.” The team said about $2.1 million had moved from the platform’s immutable contract, but added that current Aztec Network users and assets were not affected.

The statement drew attention because Aztec Connect was no longer an active product. The platform was deprecated in March 2023 after Aztec Labs shifted work to the next version of its privacy network.

Old Aztec Connect funds stayed in the contract

Aztec Connect had once allowed users to access DeFi through a privacy-focused ZK rollup. Deposits were halted when the system was phased out, and users had time to withdraw their funds from the old platform.

Some assets remained in the contract. Crypto developer Param said the contracts later became “fully immutable” and could no longer be upgraded or paused. Aztec Labs also said it holds no admin keys or control over the old system.

Unlike a live protocol, the old Aztec Connect system had no operator able to pause activity. That made the response depend on public warnings, tracing, and checks by remaining affected users online.

That setup left no simple way to stop the exploit once the attacker found the path. The old code still lived on Ethereum, and the contract still held funds, even though the product had been abandoned.

Security firms explain the attack

BlockSec’s Phalcon team said the attack targeted Aztec Connect’s RollupProcessorV3 contract on Ethereum. The firm said losses exceeded $2.15 million after suspicious activity hit the contract.

According to BlockSec, the issue involved a mismatch between how transactions were verified and how they were settled on Ethereum. In simple terms, the proof system and the settlement logic did not read the transaction list in the same way.

That gap allowed the attacker to create balances that were not backed by valid value on Ethereum. The attacker then withdrew those balances. The same pattern was repeated seven times across several assets.

CertiK data shared on X listed the stolen assets as including 909 $ETH, around 270,000 DAI, 167 wrapped staked $ETH, and smaller amounts of other tokens. Param also said the attacker funded the wallet through Tornado Cash before the exploit.

June hack losses keep rising

The Aztec Connect exploit adds to another active month for DeFi security incidents. DeFiLlama’s hacks tracker shows several June losses, including $30 million from Humanity Protocol on June 8 and $8 million from Syscoin Bridge on June 7.

As previously reported by crypto.news, Humanity Protocol said more than $36 million was stolen after attackers compromised administrative keys linked to its bridge infrastructure across Ethereum and BNB Smart Chain.

Crypto.news also reported that hack losses fell to $68.3 million in May, down nearly 90% from April. Still, CertiK said code flaws caused about $45 million of May’s losses, making them the largest attack path for that month.

The Aztec case shows why old DeFi contracts remain part of the security map. Even when a product is discontinued, any funds left in immutable contracts can still draw attackers years later.