Hackers Steal $2.1M from Defunct Aztec Connect Smart Contract
Despite being shut down in March 2023, the Aztec Connect platform's unchangeable smart contract continued to store more than $2 million worth of cryptocurrency.
A defunct decentralized finance protocol known as Aztec Connect lost approximately $2.1 million in cryptocurrency assets this past Sunday following a security breach that targeted its verification function.
On Sunday, Aztec Labs took to X to announce they were "investigating a potential exploit affecting Aztec Connect," noting that approximately $2.1 million had been extracted from the platform's smart contract, though they clarified that no users or funds on the existing Aztec network were impacted by the incident.
This security breach represents the most recent addition to the $44 million in cryptocurrency that has been stolen throughout this month across at least 12 separate exploits, based on data from DeFiLlama.
The most significant loss in June thus far came from a private key compromise targeting the Humanity Protocol, which resulted in $30 million being stolen on June 8, with the Syscoin Bridge coming in second after losing $8 million to a fraudulent proof exploit one day earlier.
According to blockchain security company BlockSec, the hacker took advantage of a discrepancy between how the platform authenticated transactions and how they were finalized on Ethereum.
BlockSec explained that authenticated transactions on the Aztec Connect contract were "not effectively bound to the transaction set enforced by the ZK proof," which enabled its verification pathway and settlement logic on Ethereum "to interpret the transaction list differently."
This vulnerability allowed the hacker to insert transactions in which the contract credited value without proper validation on Ethereum, generating unbacked balances that were subsequently withdrawn. The perpetrator executed this maneuver seven times across seven distinct assets.
The hacker successfully stole 909 Ether (ETH), 270,000 Dai (DAI), 167 of wrapped staked ETH and several other cryptocurrencies.
The Aztec Network operates as a privacy-oriented layer-2 zero-knowledge (ZK) rollup solution built on Ethereum. Aztec Connect represented the earlier iteration of the platform that went live in 2022 functioning as a DeFi bridge.
The retirement of Aztec Connect occurred in March 2023, at which point deposits were disabled and the development team redirected their efforts toward building the next-generation Aztec Network.
"Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the team said.
A crypto developer known as "Param" explained that the smart contracts for Aztec Connect had become "fully immutable" and were no longer capable of being upgraded or paused.
"The incident is another reminder that abandoned DeFi contracts can still become targets years later," they said.