Hackers Drain $2.1M from Discontinued Aztec Connect Smart Contract
Despite being shut down in March 2023, the unchangeable Aztec Connect smart contract continued to store more than $2 million worth of cryptocurrency.
A now-defunct decentralized finance platform known as Aztec Connect lost approximately $2.1 million in cryptocurrency assets this past Sunday following an attack that targeted vulnerabilities in its verification function.
On Sunday, Aztec Labs took to X to announce they were "investigating a potential exploit affecting Aztec Connect," noting that approximately $2.1 million had been moved from the platform's smart contract, while clarifying that users and assets on the newer Aztec network remained unaffected by the incident.
This security breach adds to the growing list of cryptocurrency thefts in June, contributing to the $44 million worth of digital assets that have been stolen across at least 12 separate exploits during the month, based on data from DeFiLlama.
The month's most significant loss came from a private key compromise targeting the Humanity Protocol, which resulted in $30 million being stolen on June 8, while the Syscoin Bridge experienced the second-largest incident when $8 million was taken through a fake proof exploit one day earlier.
According to blockchain security company BlockSec, the vulnerability stemmed from inconsistencies between the platform's transaction verification process and how those transactions were ultimately settled on the Ethereum blockchain.
BlockSec explained that verified transactions within Aztec Connect's contract were "not effectively bound to the transaction set enforced by the ZK proof," which enabled the verification pathway and settlement logic on Ethereum "to interpret the transaction list differently."
This vulnerability allowed the malicious actor to insert transactions where the contract would credit value without proper validation on Ethereum, thereby generating unbacked balances that were subsequently withdrawn. This process was repeated seven times targeting seven distinct assets.
The stolen cryptocurrency haul included 909 Ether (ETH), 270,000 Dai (DAI), 167 units of wrapped staked ETH along with several other digital currencies.
The Aztec Network operates as a privacy-centered layer-2 zero-knowledge (ZK) rollup solution built on the Ethereum blockchain. Aztec Connect represented the earlier iteration of this platform, having been introduced in 2022 to function as a DeFi bridge.
The decision to deprecate Aztec Connect was made in March 2023, at which point deposits were suspended and the development team redirected their efforts toward building the next-generation Aztec Network.
"Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the team said.
Cryptocurrency developer "Param" explained that the smart contracts governing Aztec Connect had become "fully immutable" and were no longer subject to upgrades or emergency pauses.
"The incident is another reminder that abandoned DeFi contracts can still become targets years later," they said.