Aztec Network suffers $2M loss in second hack this week

Two Distinct Attacks Drain Aztec Funds

The latest incident, occurring on June 17, saw attackers steal around $2 million from a deprecated Aztec payments product. This product, a private rollup bridge, had its administrative controls renounced years ago. Days earlier, on June 14, a separate exploit drained $2.19 million from the retired Aztec Connect bridge. A follow-up attack on June 15 leveraged the same technique to take an additional $88,000 from leftover DeFi bridge positions.

Security researcher Cos flagged suspicious transactions from the private rollup bridge contract, totaling approximately $2.15 million in ETH, DAI, and renBTC. Another researcher, thisvishalsingh, confirmed these were separate from the earlier Aztec Connect breach. Aztec Labs stated it was investigating the June 17 exploit, noting the contract was an immutable stage 2 rollup sunset in 2022. The Aztec Foundation added that the product was deprecated four years ago, with Aztec Labs retaining no controls.

Immutable Contracts Pose Ongoing Risk

The June 14 attack on Aztec Connect exploited a flaw in how its proof verification system and on-chain settlement code processed transaction batches. The proof system checked rows in groups of 32, while the settlement code only processed declared “real” amounts. Attackers used 14 crafted rollup submissions in a single transaction to remove various tokens.

Aztec Connect, a privacy-preserving zk-rollup launched in 2022, was deprecated in 2023. In April 2024, Aztec Labs renounced all administrative roles and upgrade authority on-chain. This action, intended to allow users to withdraw funds without team involvement, also removed any ability for the team to deploy fixes for new vulnerabilities. Blockchain security firm Blockaid reportedly detected the attacker’s preparation activity six minutes before the June 14 draining transaction.

Deprecated Contracts Fuel DeFi Losses

These Aztec incidents are not isolated events. On June 15, DeFi options protocol Thetanuts Finance confirmed a $2.1 million exploit targeting a legacy vault that had been migrated away from years prior. This attack exploited a flaw in the vault’s redemption logic, according to security researcher ExVul. Blockful.eth noted this trend on X, highlighting the risk of old contracts with significant idle funds.

June exploit losses across DeFi have already surpassed $43 million at the month’s midpoint, according to DefiLlama data. Deprecated contracts are becoming a significant portion of the target surface. Both Aztec Labs and the Aztec Foundation confirmed that the exploited contracts have no connection to the AZTEC ERC-20 token or any smart contracts related to the current Aztec network.

Unpatched Legacy Code Remains a Target

The recent exploits against deprecated protocols underscore a critical challenge for decentralized finance: how to manage legacy codebases that hold user funds but lack active maintenance or upgrade paths. The decision to renounce admin keys for decentralization purposes, while ideologically sound, can create irreversible vulnerabilities if not accompanied by comprehensive withdrawal or migration strategies.