A hacker exploited a flaw in Aztec Connect’s legacy smart contract, draining approximately $2.1 million more than three years after the privacy focused DeFi platform was shut down.
Key Takeaways
- Aztec Connect lost roughly $2.1 million to $2.19 million in a smart contract exploit on June 14.
- Security firms CertiK and BlockSec linked the attack to flaws in the platform’s proof verification and settlement logic.
- The exploit affected a deprecated Aztec Connect contract, not the current Aztec Network or the AZTEC token.
- The incident highlights the ongoing risks posed by abandoned DeFi contracts that remain on chain long after projects move on.
What Happened?
An attacker successfully drained more than $2.1 million from Aztec Connect, a discontinued decentralized finance platform built on Ethereum. The exploit targeted a legacy contract that has remained on chain since the platform was deprecated in 2023.
Aztec Labs and the Aztec Foundation quickly clarified that the incident had no impact on the current Aztec Network, its users, or the AZTEC token. However, because the old contracts are immutable and no longer controlled by the team, there was no way to stop the attack once it began.
We are investigating a potential exploit affecting Aztec Connect. ~$2.1m was transferred from the immutable smart contract in transaction:https://t.co/5WrfeR8bbJ
— Aztec Labs (@AztecLabs_) June 14, 2026
Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be…
How the Aztec Connect Exploit Unfolded?
Blockchain security firm CertiK first flagged suspicious activity involving the Aztec Connect contract on June 14. Initial findings suggested the exploit stemmed from incomplete validation of proof data submitted to the protocol.
According to CertiK, one function verified only part of a submitted proof, potentially allowing malicious transaction instructions embedded elsewhere in the data to bypass proper validation. This weakness may have enabled the attacker to manipulate withdrawals and extract funds from the contract.
Security researchers at BlockSec provided additional technical details, pointing to a mismatch between Aztec Connect’s transaction verification process and how transactions were ultimately settled on Ethereum.
The firm explained that verified transactions were not effectively bound to the transaction set enforced by the platform’s zero knowledge proof system. As a result, the verification path and settlement logic could interpret transaction data differently.
This discrepancy allegedly allowed the attacker to create unbacked balances that could later be withdrawn from the contract.
Millions Drained Across Multiple Assets
The attacker reportedly executed the exploit seven times across seven different assets.
Stolen funds included:
- 909 ETH
- 270,000 DAI
- 167 wrapped staked ETH
- Several additional ERC20 tokens
Estimates place total losses between $2.1 million and $2.19 million.
The incident adds to a growing list of crypto security breaches recorded throughout June. According to DeFiLlama, losses from crypto exploits this month have reached nearly $44 million.
Among the largest incidents were the Humanity Protocol exploit, which reportedly resulted in $30 million in losses, and the Syscoin Bridge attack, which saw approximately $8 million stolen through a fake proof exploit.
Why Aztec Could Not Stop the Attack?
Aztec Connect launched in 2022 as a privacy-focused bridge that enabled users to interact with DeFi protocols while keeping transaction details hidden through zero knowledge proofs.
The platform was officially deprecated in March 2023 as Aztec shifted its focus toward building the next generation of the Aztec Network. Deposits were halted, and the sequencer was eventually shut down by March 2024.
Importantly, Aztec Labs renounced administrative control over the contracts as part of the shutdown process.
The team stated:
Because the contracts became fully immutable, there were no upgrade mechanisms, emergency controls, or pause functions available to intervene during the exploit.
The Aztec Foundation also emphasized that the breach does not affect any smart contracts associated with the current Aztec Network.
The Broader Risk Facing DeFi
The exploit serves as another reminder that smart contracts can remain active on blockchain networks long after a protocol has been abandoned.
Many legacy contracts continue to hold user funds despite no longer being actively maintained. While decentralization and immutability are core principles of blockchain technology, they can also create challenges when vulnerabilities emerge after development teams have relinquished control.
For investors, the incident underscores the importance of checking whether assets remain locked in older protocol contracts and understanding what safeguards exist when projects migrate to newer systems.
CoinLaw’s Takeaway
In my experience, this exploit highlights a less discussed risk in decentralized finance. Many investors focus on active protocols and new launches, but forgotten contracts can quietly hold millions of dollars in assets long after a project moves on. I found the most important lesson here is that immutability cuts both ways. It protects users from centralized control, but it can also leave no path for intervention when a vulnerability surfaces years later. As DeFi continues to mature, investors should pay closer attention to how protocols handle migrations, contract deprecations, and stranded funds.
