Aztec Connect Abandoned Smart Contract Drained $2.1M

Aztec Connect, a deprecated DeFi platform tied to Aztec Network, was reportedly drained of about $2.1 million in crypto after an attacker exploited a vulnerability in the platform’s transaction verification logic. The incident highlights how “abandoned” contracts can remain viable targets long after they are officially retired.

Aztec Labs said on X that it is investigating a potential exploit affecting Aztec Connect and that roughly $2.1 million was transferred from the platform’s smart contract. The company added that the issue did not impact users or assets on the current Aztec Network.

Key takeaways

• About $2.1 million was stolen from Aztec Connect after the attacker abused its verification and settlement path.
• BlockSec said verified transactions were not effectively bound to the transaction set enforced by the ZK proof, creating a pathway to withdraw unbacked balances.
• The attacker reportedly executed the exploit seven times across seven assets, accumulating 909 ETH and 270,000 DAI, among others.
• Aztec Connect was deprecated in March 2023, with deposits halted and the team shifting to Aztec Network.
• Aztec Labs stated it has no admin keys and cannot pause or upgrade Aztec Connect, while a developer said the contracts became fully immutable.

What Aztec Labs said happened

In its public update, Aztec Labs described an apparent exploit affecting Aztec Connect’s smart contract and noted that about $2.1 million was transferred out. The firm emphasized that the incident did not affect the assets or user balances on the live Aztec Network.

Aztec Connect is linked to the privacy-focused ZK rollup ecosystem built on Ethereum. According to the same context provided in the report, Aztec Connect was an earlier version of the platform launched in 2022 as a DeFi bridge.

How the verification weakness enabled withdrawals

Security firm BlockSec said the attacker took advantage of a mismatch in how Aztec Connect verified transactions versus how it settled them on Ethereum.

BlockSec’s explanation focused on how the system handled the relationship between verified transactions and the ZK proof’s enforced transaction set. In its view, transactions approved through Aztec Connect’s verification route were not effectively bound to the transaction set enforced by the ZK proof. That gap allowed the contract’s verification and settlement logic on Ethereum to interpret the transaction list differently.

With that inconsistency, the attacker could place transactions such that the contract credited value without the corresponding validation occurring on Ethereum. BlockSec said this enabled the creation of unbacked balances, which could then be withdrawn.

BlockSec also reported that the attacker repeated the technique multiple times—seven times across seven different assets—rather than relying on a single sweep.

Reported assets taken and the broader hacking backdrop

The theft reportedly included 909 Ether (ETH), 270,000 Dai (DAI), 167 wrapped staked ETH, and several other cryptocurrencies. A separate post from CertiK had been cited in the original reporting as showing examples of some of the assets taken.

The Aztec Connect incident comes amid a busy stretch for DeFi exploits. DeFiLlama data referenced in the reporting indicates that $44 million worth of crypto has been stolen so far this month from at least 12 separate exploits.

Earlier in June, the largest theft mentioned was tied to a private key compromise on the Humanity Protocol, with $30 million reportedly lost on June 8. The reporting also points to a separate Syscoin Bridge incident the day prior, where $8 million was allegedly stolen through a fake proof exploit.

Why the “deprecated” label didn’t stop the attack

Aztec Connect was officially deprecated in March 2023, when deposits were halted and the team redirected development resources to the next-generation Aztec Network. However, the deprecation process did not eliminate the risk posed by the underlying smart contract logic.

Aztec Labs stated it holds no admin keys and therefore cannot pause or upgrade the system. This means the platform’s inability to be adjusted by the team can leave known or emergent logic flaws unaddressed—especially if the contract’s code remains on Ethereum.

A crypto developer identified as “Param” also said the Aztec Connect smart contracts became fully immutable, meaning they could no longer be upgraded or paused.

That combination—deprecation without upgrade authority—helps explain how an exploit can surface well after a product is retired. As noted in the reporting, the incident is another reminder that abandoned or deprecated DeFi contracts can still attract attackers years later, particularly when the exploit depends on fundamental contract semantics rather than on temporary operational parameters.

What to watch next

Investigators will likely focus on whether the withdrawn funds were immediately moved through liquidity venues or remain trackable in on-chain flows, while the Aztec ecosystem’s response may center on confirming the scope of impact and strengthening boundaries between verification and settlement logic. For users, the practical takeaway is to treat deprecated contracts as still risky: immutable code can remain exploitable long after deposits are shut off.

This article was originally published as Aztec Connect Abandoned Smart Contract Drained $2.1M on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.