Three Years Dark, Still Got Robbed: Aztec Connect's $2.1M Ghost Exploit 👻

Aztec Connect, a privacy-focused layer-2 decentralized finance bridge deprecated in March 2023, was drained of approximately $2.1 million in crypto on Sunday after an attacker exploited a flaw in its proof verification logic. Aztec Labs confirmed on X that it was "investigating a potential exploit affecting Aztec Connect," adding that around $2.1 million was transferred from the platform's smart contract. The team stressed the incident does not affect users or assets on the current Aztec network and that the AZTEC ERC-20 token remains unaffected. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the team said, noting that the contracts are now fully immutable.

Blockchain security firm CertiK first flagged the suspicious transaction on X, identifying a 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 wallet as the recipient of roughly $2.19 million drained from the Aztec Connect Router contract. CertiK said the exploit appears to stem from incomplete validation of submitted proof data, with one contract function verifying only the beginning of the proof while token transfer instructions embedded elsewhere in the data were not properly checked. Crypto security firm BlockSec offered a parallel explanation, saying the attacker exploited a mismatch in how the platform verified transactions and settled them on Ethereum. Verified transactions on Aztec Connect's contract were "not effectively bound to the transaction set enforced by the ZK proof," BlockSec said, allowing the verification path and settlement logic on Ethereum "to interpret the transaction list differently." The attacker could then place transactions where the contract credited value without validating it on Ethereum, creating unbacked balances that could be withdrawn. The attacker repeated the maneuver seven times across seven different assets.

The haul included 909 Ether ($ETH), 270,000 Dai ($DAI), 167 of wrapped staked ETH and a handful of other cryptocurrencies. Crypto developer "Param" noted that Aztec Connect's smart contracts became "fully immutable" once deprecated and could no longer be upgraded or paused. "The incident is another reminder that abandoned DeFi contracts can still become targets years later," they said.

The exploit is the latest in roughly $44 million worth of crypto stolen so far this month across at least 12 separate incidents, according to DeFiLlama. A private key compromise on the Humanity Protocol on June 8 was the largest June loss at $30 million, followed by the Syscoin Bridge, which lost $8 million in a fake proof exploit the previous day. The Aztec Connect incident came just days after a separate exploit on Raydium ($RAY) that drained roughly $1.3 million from five legacy liquidity pools on the Solana ($SOL) network.