Headline: Legacy Aztec contracts drained of more than $4M in back-to-back ZK-proof exploits
Aztec’s old infrastructure was hit by a coordinated wave of attacks this month that emptied more than $4 million from deprecated smart contracts — despite those contracts being long retired and labeled “inactive.” The incidents, which took place over a three-day span, exploited weaknesses in zero-knowledge (ZK) proof verification logic in legacy rollup designs, not private-key theft or classic reentrancy bugs.
What happened
- June 14: Attackers drained roughly $2.1 million from Aztec Connect, a privacy-focused bridge that had been officially shut down after its retirement phase but still held residual on-chain liquidity. The haul included about 909 ETH, 270,000 DAI and 167 wstETH, plus smaller holdings.
- June 17 (reported June 18): A second exploit hit the Private Rollup Bridge, extracting roughly 1,158 ETH (about $2.15 million). This attack used a different execution but the same technical root cause: improper validation of ZK proofs that allowed unauthorized exits.
Technical root cause
Security reviewers say both breaches were rooted in how legacy rollup contracts validated zero-knowledge proofs relative to on-chain settlement state. In the Aztec Connect case attackers were able to submit proofs that the contract accepted despite not matching the true transaction state, triggering unauthorized withdrawals. The Private Rollup Bridge exploit abused an “escape hatch” exit mechanism by submitting a crafted ZK proof that incorrectly passed validation and released funds.
Notably, neither exploit involved compromised private keys or reentrancy — the failures were in proof-validation logic and its interaction with exit/settlement flows. Both contracts were deliberately immutable at deployment (unable to be paused or upgraded), and although users had previously been advised to withdraw funds before shutdown, leftover liquidity remained on-chain and vulnerable.
Aztec and security response
Aztec Labs and the Aztec Foundation confirmed the affected contracts were deprecated products with no connection to the current Aztec network or AZTEC ERC‑20 token. The Foundation posted on X that it was made aware of a deprecated product exploit and reiterated there are no links to current-network contracts.
Security firm CertiK flagged the Private Rollup Bridge incident, identifying the attacker address and tracing fund movements to a specific Ethereum transaction. Their analysis aligned with other reviewers in attributing the issues to ZK proof verification weaknesses rather than conventional smart-contract bugs.
Broader takeaway
These incidents underline a persistent risk across Ethereum and DeFi: permanently active, unmaintained contracts can become lucrative attack targets years after they’re sunset. Immutable contracts remove the ability to patch or pause, so even deprecated systems with residual liquidity require careful decommissioning plans — or stronger on-chain kill switches and safer escape mechanisms — to prevent similar drains in the future.
Read more AI-generated news on: undefined/news
