Headline: Old Aztec Contracts Lose Over $4M in Two ZK-Proof Exploits — Shows Risks of Unmaintained, Immutable DeFi
Aztec’s legacy infrastructure was hit by a coordinated wave of attacks that siphoned more than $4 million in on-chain liquidity across just three days — exploiting deprecated, immutable contracts that had been shut down years earlier but left accessible on Ethereum.
What happened
- June 14: Aztec Connect, a privacy-focused bridge that had been retired and marked inactive, was drained for roughly $2.1 million. The attacker extracted about 909 ETH, 270,000 DAI, 167 wstETH and smaller holdings. The breach was traced to flaws in rollup proof verification: the contract accepted invalid or manipulated zero-knowledge proofs, enabling unauthorized withdrawals.
- June 17: A second exploit struck the Private Rollup Bridge — another deprecated piece of Aztec’s older rollup stack — removing around 1,158 ETH (about $2.15 million). This attack used a vulnerable “escape hatch” exit mechanism; by submitting a specially crafted ZK proof the attacker triggered exit logic that the contract incorrectly validated and paid out.
Technical root cause
Both incidents were not the result of private key theft or classic reentrancy bugs. Instead, security reviews point to weaknesses in how zero-knowledge proof validation was integrated with on-chain settlement and exit logic in these legacy rollups. In plain terms, proofs accepted on-chain did not correctly match the underlying state transitions, allowing attackers to fabricate or manipulate proofs to pull funds.
Why these systems were vulnerable
Crucially, the exploited contracts had been designed as immutable at deployment — they could not be paused, upgraded, or patched after retirement. Although users were previously urged to withdraw funds before shutdown, residual balances remained on-chain and became attractive targets years later. The events underscore a broader problem: deprecated DeFi systems that remain permanently active on Ethereum without maintenance or defined upgrade paths can become long-term liabilities.
Responses and confirmations
Aztec Labs and the Aztec Foundation emphasized that both contracts were deprecated products with no connections to the current Aztec network or the AZTEC ERC-20 token. The Foundation confirmed it was made aware of an exploit on June 17 and reiterated that the affected products were retired years earlier. Security firm CertiK also flagged the Private Rollup Bridge exploit, identifying the attacker’s address and tracing the movement of funds to a specific Ethereum transaction; its analysis aligned with others that pointed to ZK-proof verification failures rather than conventional smart-contract flaws.
Takeaway
The twin breaches serve as a stark reminder that immutability and decentralization are double-edged: while they guarantee code integrity, they also make it impossible to remediate retired systems that still hold funds. As DeFi projects evolve, teams and communities will need clearer deprecation procedures, stronger post-retirement safeguards, and migration plans to prevent legacy contracts from becoming future attack vectors.
Read more AI-generated news on: undefined/news
