Aztec’s old infrastructure was rocked by a coordinated wave of exploits this month, with attackers siphoning more than $4 million from legacy contracts that had been officially retired — but still held on-chain liquidity.
What happened
- June 14: Aztec Connect — a deprecated privacy-focused bridge that had been shut down — was drained for roughly $2.1 million. The attacker moved about 909 ETH, 270,000 DAI, 167 wstETH and smaller balances. Although the contract was considered inactive and immutable (meaning it couldn’t be paused or patched), residual funds remained on-chain and were targeted.
- June 17: A second exploit hit the Private Rollup Bridge, another piece of Aztec’s older rollup design. Attackers extracted about 1,158 ETH (≈ $2.15 million), bringing the three-day total losses to just over $4 million.
How the attackers did it
Both incidents traced back to weaknesses in zero-knowledge (ZK) proof verification inside legacy rollup systems — not to stolen private keys or classic reentrancy bugs. In the Aztec Connect case, attackers exploited flaws in the rollup proof verification logic so that invalid or manipulated proofs were accepted, enabling unauthorized withdrawals. In the Private Rollup Bridge incident, the attacker abused an “escape hatch” exit mechanism by submitting a specially crafted ZK proof that the contract mistakenly validated, triggering the bridge’s exit logic and releasing funds.
Why retired contracts were vulnerable
These contracts were deliberately left immutable at deployment and deprecated when Aztec migrated away from those designs. That immutability meant they couldn’t be upgraded, paused, or patched after shutdown — so any residual liquidity stayed on-chain without maintenance or a secure upgrade path. Security reviewers pointed to a structural mismatch between ZK proof validation and on-chain settlement logic: proofs were being accepted without a correct, verifiable mapping to the underlying transaction state, creating attack surface long after the systems were supposed to be retired.
Official response
Aztec Labs and the Aztec Foundation confirmed both affected systems were deprecated products with no ties to the current Aztec network or the AZTEC ERC‑20 token. In a June 18, 2026 tweet, the Aztec Foundation reiterated that the compromised product had been deprecated years earlier and that current network contracts were unaffected. Security firm CertiK also flagged the Private Rollup Bridge exploit, identifying the attacker’s address and tracing the funds’ movement; its analysis agreed that the root cause was ZK proof verification rather than conventional smart contract vulnerabilities.
Broader takeaway
The attacks underscore a recurring risk in Ethereum’s DeFi ecosystem: retired, immutable contracts can become attractive targets if they retain on-chain liquidity and lack maintenance or formal shutdown mechanisms. Even designs that were once secure can develop exploitable edge cases as assumptions and attacker techniques evolve — particularly for complex components like ZK proof validation and rollup exit logic. The incidents are a reminder for teams to plan explicit, secure withdrawal or migration paths for deprecated contracts and for users to remove funds from legacy systems whenever possible.
Read more AI-generated news on: undefined/news
