Aztec's ghost protocol gets robbed for $2.1M, proving abandoned contracts never really rest in peace 🪦

A deprecated privacy-focused DeFi platform, Aztec Connect, was drained of approximately $2.1 million in crypto on Sunday after an attacker exploited a flaw in its verification function. Aztec Labs said in a post on X that it was "investigating a potential exploit affecting Aztec Connect," adding that around $2.1 million was transferred from the platform's smart contract. The company stated the incident did not affect users or assets on the current Aztec network.

The exploit is the latest in a string of June attacks, with roughly $44 million in crypto stolen this month across at least 12 incidents, according to data from DeFiLlama. A private key compromise on the Humanity Protocol ranks as the largest so far, with $30 million lost on June 8, followed by the Syscoin Bridge, which saw $8 million swiped in a fake proof exploit the previous day.

Crypto security firm BlockSec, which analyzed the attack, said the attacker exploited a mismatch in how the platform verified transactions and settled them on Ethereum. The firm explained that verified transactions on Aztec Connect's contract were "not effectively bound to the transaction set enforced by the ZK proof," allowing its verification path and settlement logic on Ethereum "to interpret the transaction list differently." The attacker could then place transactions where the contract credited value without validating it on Ethereum, creating unbacked balances that could be withdrawn. According to BlockSec, the attacker carried out the process seven times across seven different assets.

The stolen funds included 909 Ether ($ETH), 270,000 Dai ($DAI) and 167 wrapped staked ETH, along with smaller amounts of other cryptocurrencies, according to blockchain security firm CertiK. Aztec Network is a privacy-focused layer-2 zero-knowledge (ZK) rollup on Ethereum, and Aztec Connect was the previous version of the platform, launched in 2022 as a DeFi bridge. Aztec Connect was deprecated in March 2023, with deposits halted and the team shifting resources to the next-generation Aztec Network.

Following the incident, Aztec Labs emphasized that it holds no special control over the old contracts. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the team said. Crypto developer "Param" noted that Aztec Connect's smart contracts are "fully immutable" and cannot be upgraded or paused. "The incident is another reminder that abandoned DeFi contracts can still become targets years later," they said.