Aztec has suffered a second multimillion dollar exploit in less than a week after attackers drained roughly $2.1 million from its deprecated Private Rollup Bridge.
Key Takeaways
- Aztec’s Private Rollup Bridge was exploited for approximately $2.15 million to $2.16 million.
- The attack occurred just days after a separate $2.1 million exploit targeting Aztec Connect.
- Researchers say the attacker abused vulnerabilities in the bridge’s emergency escape hatch withdrawal mechanism.
- Aztec Labs stated the affected infrastructure was deprecated years ago and is not connected to the current Aztec Network or AZTEC token.
What Happened?
Aztec has been hit by another security incident after an attacker exploited its deprecated Private Rollup Bridge, draining approximately $2.15 million worth of crypto assets. The incident comes less than a week after a separate exploit targeted Aztec Connect, raising fresh concerns about the risks posed by legacy smart contracts that remain active on chain.
Security researchers from SlowMist and other blockchain security firms traced the exploit to the bridge’s emergency withdrawal mechanism, which allegedly allowed an attacker to manipulate proof data and withdraw funds that should not have been released.
π¨SlowMist TI Alertπ¨@aztecnetwork has been exploited again.
β SlowMist (@SlowMist_Team) June 18, 2026
πΈ Loss: 1,158 ETH+150,000 DAI+0.4696 renBTC (~$2,209,704.23 USD)
π Root Cause: The `RollupProcessor.escapeHatch()` function (`0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba`) lacks access control: no `onlyOwner`, noβ¦
Second Exploit Hits Aztec Within Days
The latest attack targeted Aztec’s Private Rollup Bridge, a privacy-focused infrastructure product launched in 2021 and deprecated in 2022. Although the product was shut down years ago, its smart contracts remained operational because they were designed as immutable contracts that cannot be altered or upgraded.
According to security researchers, the attacker successfully drained approximately:
- 1,158 ETH
- 150,000 DAI
- Around 0.47 to 0.5 renBTC
The total value of the stolen assets was estimated at roughly $2.15 million to $2.16 million at the time of the exploit.
Researchers also noted that the wallet used in the exploit was initially funded with a small amount of ETH originating from crypto exchange HitBTC before the attack was executed.
How the Attack Worked?
Preliminary investigations from SlowMist, including analysis shared by co-founder Cos and founder Yu Xian, suggest the attacker exploited weaknesses within the bridge’s escapeHatch function.
The escape hatch was originally designed as an emergency tool that allowed users to withdraw assets directly from Ethereum if needed. However, researchers found that the function lacked critical verification checks.
According to the findings, the attacker was able to submit a false rollup proof and manipulate withdrawal related parameters. The contract reportedly trusted specific transaction inputs without independently verifying ownership of the funds being withdrawn.
During brief periods when the escape mechanism was active, the attacker allegedly tricked the contract into releasing assets held by the bridge’s infrastructure.
Security firm BlockSec later said that both the recent Private Rollup Bridge exploit and the earlier Aztec Connect exploit were linked to what it described as public input binding issues, although the attack methods were not identical.
Aztec Says Current Network Remains Unaffected
Following the exploit, Aztec Labs emphasized that the compromised infrastructure has no connection to the current Aztec Network or the AZTEC token.
The company explained that the affected bridge was deprecated years ago and operates as an immutable system. Because of its design, the team does not possess administrative keys and cannot pause transactions, upgrade the contracts, or directly intervene once vulnerabilities are discovered.
We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021. ~$2m was transferred from the immutable smart contract in transaction:https://t.co/FS4JoNnfiJ
β Aztec Labs (@AztecLabs_) June 18, 2026
The deprecated product is an immutable stage 2 rollup that was sunset in 2022.β¦
Aztec Labs also stressed that the incident is entirely separate from the current generation of network infrastructure under development.
The latest exploit follows another attack discovered on June 14 involving Aztec Connect, a privacy focused rollup product that had already been deprecated in March 2023. That incident resulted in losses exceeding $2.1 million.
Legacy Smart Contracts Under Fresh Scrutiny
The back to back exploits have renewed debate around the security risks posed by deprecated smart contracts that continues to hold user assets.
Risk analysis platform Blockful warned that old smart contracts can effectively become ongoing targets for hackers when active maintenance and oversight end.
Security experts argue that even when protocols discontinue products, immutable contracts containing legacy funds may continue to present attractive attack opportunities. SlowMist recommended that projects carrying assets in deprecated contracts consider structured asset migration plans to reduce long term exposure.
The incident also adds to a growing list of bridge related security breaches across the crypto industry. Reports indicate that bridge exploits have already caused more than $340 million in losses this year alone, highlighting the continued challenges facing decentralized finance security.
CoinLaw’s Takeaway
In my experience, these incidents show that a protocol’s greatest security risk is not always its newest technology but sometimes its oldest infrastructure. Even when products are officially discontinued, dormant contracts holding valuable assets can remain attractive targets for attackers. I found the Aztec case particularly notable because both exploits occurred within days of each other and involved infrastructure that had already been retired. The broader lesson for the crypto industry is clear: deprecating a product does not automatically eliminate its security risks if funds remain locked inside immutable contracts.
