An attacker drained more than $2.1 million from Aztec Connect on Jun. 14, exploiting a verification flaw in a privacy protocol that shut down three years ago.
Key Points:
- An attacker pulled roughly $2.19 million from Aztec Connect on Jun. 14, three years after the protocol was retired.
- The exploit abused a gap in the contract's proof verification, letting withdrawals draw on balances no deposit backed.
- Aztec Labs said it holds no admin keys and cannot pause or upgrade the immutable contracts.
CertiK Flags Aztec Connect Drain
CertiK caught the suspicious activity within hours of the attack. It flagged a drain from the RollupProcessorV3 contract on Ethereum, the deprecated bridge's core component. Fellow security firm BlockSec confirmed the same breach soon after and first suspected a missing access control in the code.
The weakness sat in how the contract checked proof data, with one path verifying the full transaction set while the settlement logic read that same data differently. The mismatch let the attacker credit value with nothing behind it, producing balances no deposit ever supported.
The attacker ran the trick across seven assets in a single sweep. The haul included 909 Ether (ETH), roughly 270,000 Dai (DAI), 167 wrapped staked Ether and a handful of yield-bearing tokens. On-chain records traced the funds to a fresh wallet financed earlier through a mixing service, a sign the move was prepared well in advance.
Also Read: Bitcoin Bulls Eye $67K After Trump Says Hormuz Will Open To All
Aztec Labs Holds No Admin Keys
The Aztec Foundation confirmed the incident not long after the alarm went up, and it stressed that the breach leaves the AZTEC (AZTEC) token and the live Aztec network untouched. The token barely flinched, trading near a cent through the day, while the retired bridge, first launched in 2022, has stood dormant since Mar. 2023.
Aztec Labs said it could not step in. The deprecated contracts hold no admin keys, so no one can pause or upgrade them, and developer Param explained the code turned fully immutable once the bridge wound down. Investigators are still tracing the stolen funds across the network.
Abandoned DeFi Contracts Stay Risky
The episode underlines a problem the industry keeps relearning, since dead protocols still hold real money long after their teams move on. Immutable code cannot be patched once a weakness surfaces, which leaves these abandoned systems, now widely called zombie contracts, open to attack for years.
The drain caps a rough stretch for on-chain security. Exploits this month have cost roughly $44 million across at least a dozen incidents with several smaller protocols hit in recent weeks. That tally follows a brutal April, when two attacks alone drove monthly losses past $625 million and set a record for incident count.
Read Next: Index Rules Turn SpaceX's $2T Debut Into A Market Stress Test