Aztec's Abandoned Contracts Lose $4.4M in Two Exploits

Aztec’s second exploit drained 1,158 ETH

The latest attacker used a false rollup proof to make the old bridge release assets from its reserves, according to SlowMist’s preliminary analysis. The withdrawals included the ETH, stablecoins and tokenized Bitcoin held by the contract.

The attack focused on an emergency withdrawal mechanism known as an escape hatch. Such functions are intended to let users recover funds when normal rollup processing is unavailable, but the attacker was able to supply manipulated withdrawal inputs that the legacy verification path accepted.

The exploiter’s address was initially funded with 0.134 ETH from HitBTC, according to security researchers tracking the transactions. It was not immediately clear whether the two June attacks were conducted by the same person or group, and public attribution remained unavailable on Sunday.

The first incident used a different route. Blockaid’s technical analysis said the June 14 attacker exploited a settlement-boundary flaw in Aztec Connect to mint internal balances that were not backed by real deposits, then withdrew them in a single transaction.

Blockaid said its monitoring system detected the first attacker’s preparation six minutes before execution. The warning could not prevent the theft because the contract had no remaining administrator able to pause it, a limitation that distinguishes the incident from the recent Raydium legacy-pool exploit, where the protocol said its treasury would reimburse affected liquidity providers.

Immutable contracts left no emergency brake

Aztec had already told users that Aztec Connect was no longer under active development. Its sunset documentation said deposits stopped on March 21, 2023, while the company continued processing existing transactions and withdrawals until the sequencer was shut down on March 31, 2024.

The code and contracts did not disappear when the hosted service ended. Aztec made the infrastructure open source, and the Ethereum contracts remained accessible because blockchains do not automatically remove deployed applications when a company retires a product.

Aztec had also renounced administrative control, leaving no upgrade key, pause switch or asset-freezing authority. That design reduced the risk that a centralized operator could later change the rules, but it also meant a newly discovered vulnerability could not be repaired after deployment.

The tradeoff is different from the Humanity Protocol bridge breach, where compromised administrative keys gave an attacker direct control. In Aztec’s case, the absence of keys became the constraint: the team could investigate and warn users but could not intervene in the contract’s execution.

Aztec told Cointelegraph that the affected products were separate from its current privacy network and did not affect the AZTEC token. The current Aztec Network is a newer programmable privacy system, while Aztec Connect and the private rollup bridge belonged to earlier generations of the company’s Ethereum technology.

That separation is important for users trying to assess immediate exposure. The June incidents do not show that the current network’s proof system was broken, but they do show that an old brand-linked contract can create fresh reputational and financial damage years after deprecation.

Legacy DeFi code becomes a live security liability

The back-to-back thefts deepen a problem that is becoming more visible across decentralized finance: discontinued contracts can retain tokens, permissions and public entry points without a funded team maintaining them.

Users may leave small balances behind, lose access to old wallets or miss withdrawal deadlines. Those stranded assets can become worthwhile targets when market prices rise or researchers find an overlooked verification path.

The risk is especially difficult with immutable systems. Removing admin controls can protect users from unilateral changes, but a protocol needs a credible exit process before renouncing those controls. That may include long withdrawal windows, repeated wallet notifications, migration tools, public residual-balance dashboards and independent review of emergency functions.

The incident also shows why a project’s current security posture cannot be evaluated only through its newest code. Security teams, wallets and explorers may need to track known legacy contracts as long as those contracts hold meaningful assets, even when the original interface is offline.

The broader market’s caution remained visible Sunday, with the Crypto Fear and Greed Index at 23, or Extreme Fear.

Aztec’s next steps were not immediately clear. Investigators will watch whether the stolen ETH, DAI and renBTC move through exchanges, bridges or mixers, whether the two attacker addresses can be linked, and how much recoverable value remains in the deprecated systems.

Former users should also expect impersonation attempts around any recovery discussion. The Zcash emergency-upgrade response showed how quickly a protocol can act when maintainers retain a supported upgrade path; Aztec’s legacy contracts demonstrate the opposite case, where the chain continues executing code that its original developer can no longer change.