Aztec Connect exploit drains $2.1M from deprecated zk-rollup bridge on Ethereum

Aztec Connect’s smart contract has reportedly lost $2.1 million after an attacker took advantage of a verification flaw in the privacy bridge that was shut down three years ago. This attack also comes with a twist, as the flaw sits beyond anyone’s ability to patch per the Aztec Labs team.

The stolen funds included approximately 909 ETH, 270,000 DAI, and 167 wstETH, according to blockchain security firm BlockSec, which flagged the suspicious transaction through its Phalcon monitoring system. 

Before it was deprecated by Aztec Labs in March 2023, Aztec Connect was a zk-rollup bridge that let users interact with DeFi protocols like Aave and Lido while shielding transaction details through zero-knowledge proofs. Aztec Labs stopped running its sequencer by March 2024.

The AZTEC token is up more than 5% as of the time of Cryptoplitan’s report.

What was the flaw that enabled the attacker to exploit Aztec Connect? 

The flaw was due to a mismatch involving the boundary between the verified transaction set and L1 settlement processing per BlockSec Phalcon’s analysis on X.

According to security firm CertiK, the flaw was an incomplete validation of submitted proof data.

 One contract function checked only the beginning of the proof while token transfer instructions embedded elsewhere went unverified, and this was what allowed the attacker to manipulate withdrawals.

What is Aztec Labs’ response to the exploit?

Aztec Labs confirmed it was investigating but said it has no mechanism to intervene. “Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us,” the team wrote on X.

In a separate statement, the Aztec Foundation posted on X, stating that the foundation stressed that the incident has no connection to any smart contracts tied to the AZTEC ERC-20 token or the current Aztec network, which focuses on private smart contracts. 

“Aztec Connect was deprecated 3 years ago and Aztec Labs retains no controls over the system,” Aztec Foundation wrote.

When Aztec Labs wound down the bridge, it renounced admin keys to the contracts given the fact that it was a privacy-focused protocol. However, the tradeoff is that once the keys are gone, nobody can deploy a fix when a vulnerability surfaces.

What is the cost of the exploit?

Aztec Connect contracts held about $2.15 million in total value locked before the attack, according to DefiLlama data, and those were the funds that the exploiter was able to access.

The funds were unmonitored, and the team did nothing about them, as any assets left inside them depend entirely on the original code’s integrity. 

Aztec Connect’s exploit also brings to the fore the recurring risk for users who leave their funds in legacy contracts after a project migrates.

June exploits continue to mount

It is already halfway into the month of June, and with exploits picking up, crypto protocols do not seem to catch a break. May was also punctuated with various exploits, and recently deprecated platforms are seeing increased attacks

Cryptopolitan has previously reported on exploits hitting Gnosis Pay and TesseraDAO in the first days of June, with TesseraDAO alone losing $2.5 million in a mint-and-dump attack on BNB Chain. 

Per DeFiLlama data, June exploits have already reached approximately $43.93 million in cumulative losses as of mid-month.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.