Hackers drain $2M from second Aztec contract in four days, spotlighting abandoned protocol risk

Attackers have taken around $2 million from a deprecated Aztec payments product on June 17, coming just a few days after $2.19 million was lost in a separate exploit that targeted the project’s retired Aztec Connect bridge. 

The back-to-back incidents add to a growing pattern of hackers attacking abandoned smart contracts that hold user funds but have no team capable of patching them.

How were deprecated Aztec smart contracts exploited?

Security researcher Cos flagged three suspicious transactions from Aztec’s private rollup bridge contract on June 18. These transactions were 1,158 ETH, 150,000 DAI, and 0.47 renBTC, which summed up to approximately $2.15 million according to Cos’s post on X.

The targeted contract that Cos highlighted is not the same one that was breached on June 14. 

Security researcher, thisvishalsingh, confirmed on X that the Private Rollup Bridge drain “is a separate incident from the $2.1M drain on the deprecated Aztec Connect contract a few days ago.”

Aztec Labs said on X it was “investigating a potential exploit affecting a deprecated Aztec payments product from 2021,” describing the contract as “an immutable stage 2 rollup that was sunset in 2022.”

The Aztec Foundation stated that “the product was deprecated 4 years ago and Aztec Labs retains no controls over the system.”

The June 14 attack, which Aztec Labs documented in a post-mortem, exploited a flaw in how Aztec Connect’s proof verification system and its on-chain settlement code read the same batch of transactions. The proof system checked rows in groups of 32, while the settlement code only processed however many the batch declared as “real.” 

Through 14 crafted rollup submissions packed into a single transaction, the attacker removed approximately 909 ETH, 270,513 DAI, 168 wstETH, and several Yearn vault tokens, totaling around $2.19 million, according to Aztec Labs.

A follow-up attack on June 15 used the same technique on leftover DeFi bridge positions and carted away $88,000.

Aztec Connect was a privacy-preserving zk-rollup that was launched in 2022 and deprecated in 2023. 

In April 2024, Aztec Labs renounced all administrative roles and upgrade authority on-chain after a year of urging users to withdraw. It did this to allow the other users who still had funds there to exit without the team getting involved. 

However, it also meant that the Aztec team had no access to deploy any fix should any vulnerability get detected.

Blockchain security firm Blockaid reported that its monitoring platform detected the attacker’s preparation activity about six minutes before the draining transaction executed on June 14. 

Why are deprecated protocols under attack?

The Aztec incidents are not isolated. On June 15, DeFi options protocol Thetanuts Finance confirmed a $2.1 million exploit targeting a legacy vault it had migrated away from years earlier. That attack exploited a flaw in the vault’s redemption logic, according to security researcher ExVul.

Blockful.eth highlighted the trend on X, writing, “In the last days, we had 2 exploits exposing a risk that few remember exists in DeFi: old contracts with millions of dollars sitting idle.”

For protocols that renounce admin keys in the name of decentralization, the tradeoff may be looking bad in retrospect now, as it seems attackers have set their sights on them. 

June exploit losses across DeFi have already crossed $43 million at the month’s midpoint, per DefiLlama, and deprecated contracts appear to be a growing share of the target surface.

The smartest crypto minds already read our newsletter. Want in? Join them.