Hackers stole more than $2.19 million from Aztec Connect, an Ethereum-based privacy protocol that was discontinued years ago. The breach, which occurred on June 14, targeted a legacy version of the platform that continued to hold user funds despite no longer being actively maintained.
Blockchain security firm BlockSec Phalcon detected the attack and traced it to Aztec Connect’s RollupProcessorV3 contract. Researchers initially suspected an access-control weakness but later identified a more complex flaw in the way the protocol verified and settled transactions.
According to BlockSec, the vulnerability allowed the attacker to create withdrawable balances without providing the corresponding deposits. The incident has renewed concerns across the crypto industry about outdated smart contracts, particularly those tied to privacy-focused and zero-knowledge (ZK) systems that retain user assets long after development ceases.
How the attacker bypassed key checks
Investigators traced the breach to a deep architectural flaw in how Aztec Connect verified transaction data. According to BlockSec, different parts of the protocol interpreted the data in different ways, creating a fatal loophole that allowed the attacker to generate funds that were not backed by actual deposits.
Specifically, the ZK proof verification path decoded all transactions and inserted them into the rollup’s Merkle tree, but the Layer 1 settlement logic only processed a subset of them (dictated by a variable known as numRealTxs). The attacker exploited this mismatch by placing legitimate deposit transactions in later slots while artificially keeping the numRealTxs value low. This bypassed critical security checks, allowing the hacker to generate funds that were not backed by actual deposits.
The vulnerability enabled the hacker to create seven artificial balances across multiple crypto assets and withdraw them through the protocol’s normal redemption process. Security firm Defimon Alerts estimated the losses at approximately $2.19 million, including about 909 Ether, 167.9 wrapped staked Ether, 270,500 DAI, 9,270 LUSD, and several yield-bearing tokens.
Researchers said the funds were moved through a newly created wallet and a supporting smart contract that appeared shortly before the attack. The setup suggests the exploit was carefully prepared rather than carried out opportunistically, underscoring the sophistication of the operation.
The incident has also raised questions about the protocol’s security oversight. Although Aztec Connect entered sunset mode several years ago, developers upgraded its RollupProcessorV3 contract in April 2024. BlockSec noted that the upgrade reportedly was not subjected to an external security audit before deployment, potentially allowing the vulnerability to go unnoticed until the attack occurred.
Aztec responds as security questions grow
Aztec Labs said it is investigating the incident but noted that Aztec Connect was deprecated more than three years ago and operates as an immutable protocol, meaning the company has no administrative control over the system. The Aztec Foundation separately emphasized that the exploit is unrelated to the current Aztec network and its AZTEC token.
The team also warned users to remain cautious of impersonation scams and fraudulent support accounts that often emerge following high-profile security breaches.
The breach comes as privacy-focused crypto projects face scrutiny from investors and security researchers. Zero-knowledge technology, which is designed to improve blockchain privacy and efficiency, has gained significant attention in recent years. However, experts have warned that the added complexity of these systems can create security risks that are difficult to detect and fix.
Industry figures said the Aztec Connect exploit serves as a reminder that transparency remains critical when security incidents occur. Glyde co-founder Jeremy noted that projects do not always disclose vulnerabilities so openly, while researcher K Erica pointed to the dangers posed by dormant contracts that still control valuable assets.
Also Read: Weekly Wrap: SpaceX IPO Sparks Crypto Frenzy, SBF Appeal Fails, Humanity Hack Tied to North Korea
