Aztec Gets Hacked Again Like It's 2022: Deprecated Contracts Keep Printing Money for Attackers

Aztec's private rollup bridge was exploited Thursday for 1,158 Ether (ETH), 150,000 Dai (DAI) and 0.46 renBTC (RENBTC), totaling about $2.15 million, according to Cos, co-founder of cybersecurity firm SlowMist. SlowMist's preliminary analysis found the attacker used a false rollup proof to trick the protocol into releasing assets from its reserves to the attacker's address.

Aztec Labs confirmed the exploit, stating that approximately $2 million was transferred from an immutable smart contract tied to a payment product deprecated in 2022. The company added that it held no admin keys and had no ability to pause transactions on the contract. Aztec Labs said the Thursday incident is separate from a $2.1 million theft from Aztec Connect's smart contract on Sunday. Aztec Connect, a privacy-focused rollup, was deprecated in March 2023, with the team halting deposits and reallocating resources to the next-generation Aztec Network.

The two Aztec exploits, alongside the $1.3 million stolen from decentralized exchange Raydium earlier in June, have renewed concerns about deprecated smart contracts still holding legacy assets. "Old contracts continue to be bug bounties available to any hackers. With protocols removing their responsibility to maintain them, they can become even more tempting," risk analysis platform Blockful wrote in a Tuesday X post. SlowMist's post-mortem of the initial Aztec Connect exploit noted that the immutable contract continued to hold user assets despite the deprecation, allowing the attacker to extract over $2.1 million. SlowMist advised protocols with deprecated contracts that still hold legacy assets to conduct orderly asset migrations to eliminate ongoing cybersecurity exposure. Cointelegraph reached out to Aztec Labs for additional details about the vulnerability but had not received a response by publication.