Aztec Connect's Ghost Contract Haunts the Chain 3 Years Late, Drains $2.19M 🪦

An attacker drained approximately $2.19 million from Aztec Connect on June 14 by exploiting a flaw in the privacy-focused layer-2 network's deprecated proof verification logic, blockchain security firm CertiK reported on X. CertiK flagged the suspicious transaction, identifying the address 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 as draining the Aztec Network Router contract. The Aztec Foundation confirmed it was notified of a potential exploit and stressed that the incident does not affect the AZTEC ERC-20 token or any smart contracts associated with the current Aztec network.

According to security researchers, the exploit appears to stem from incomplete validation of submitted proof data in the computeRootHashes() function, which confirmed the legitimacy of supplied _proofData but only examined the first part of it. The middle portion of the same _proofData payload contained the data that processDepositsAndWithdrawals() subsequently used to carry out token transfers. Crypto security firm BlockSec added that verified transactions on Aztec Connect's contract were "not effectively bound to the transaction set enforced by the ZK proof," allowing its verification path and settlement logic on Ethereum "to interpret the transaction list differently." The attacker executed the exploit seven times across seven different assets, making off with 909 Ether (ETH), 270,000 Dai (DAI), 167 of wrapped staked ETH and a handful of other cryptocurrencies.

Aztec Connect was deprecated in March 2023, with deposits halted and the team shifting resources to the next-generation Aztec Network. Aztec Labs noted on X that it was "investigating a potential exploit affecting Aztec Connect" and confirmed that around $2.1 million was transferred from the platform's smart contract, adding that the incident did not affect users or assets on the current Aztec network. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the team said. Crypto developer "Param" noted that Aztec Connect's smart contracts became "fully immutable" and could no longer be upgraded or paused, adding that "the incident is another reminder that abandoned DeFi contracts can still become targets years later."

The exploit is the latest in roughly $43.93 million worth of crypto that has been stolen so far this month from at least 12 separate exploits, according to DeFiLlama. A private key compromise on the Humanity Protocol has been the largest incident in June, with $30 million lost on June 8, followed by the Syscoin Bridge, which saw $8 million swiped in a fake proof exploit the previous day. More recently, Raydium suffered a coding error in its legacy AMM V3 program that caused $1.34 million worth of cryptocurrencies to be stolen from five Solana (SOL) pools, a governance takeover drained about $1.5 million in Ethereum from a Balancer liquidity pool, and $815,000 was taken from Ethereum's Alephium TokenBridge in seven minutes using three of four compromised guardian keys.