According to Aztec Labs and blockchain security firm BlockSec, the attacker exploited a flaw in the platform's transaction verification process, which allowed them to create and withdraw unbacked balances. The attacker stole 909 ETH, 270,000 DAI, 167 wrapped staked ETH, and several other assets across seven transactions.
Aztec Connect Exploited
On Sunday, a deprecated decentralized finance (DeFi) platform known as Aztec Connect suffered a crypto exploit that resulted in the theft of approximately $2.1 million worth of digital assets.
Aztec Labs confirmed that it was investigating the incident after discovering that funds were drained from Aztec Connect's smart contract. The company explained that the exploit only impacted the older Aztec Connect platform and did not affect users, funds, or assets on the current Aztec Network. According to the team, roughly $2.1 million was transferred out of the contract during the attack.
Blockchain security researchers quickly began analyzing the exploit. Security firm BlockSec reported that the attacker took advantage of a flaw involving the platform's transaction verification process. Specifically, there was a mismatch between how transactions were verified through zero-knowledge proofs and how they were ultimately interpreted and settled on Ethereum.
Because verified transactions were not properly tied to the transaction set enforced by the zero-knowledge proof system, the attacker was able to manipulate the verification path. This allowed the smart contract to recognize and credit value that had not actually been validated on Ethereum. As a result, the attacker created unbacked balances that could later be withdrawn as legitimate assets.
The exploit was repeated seven times for multiple digital assets. According to security researchers, the attacker stole 909 Ethereum (ETH), 270,000 Dai (DAI), 167 wrapped staked Ether, and several other cryptocurrencies. The combined value of these assets totaled approximately $2.1 million.
The incident is now part of the concerning trend of crypto-related security breaches. Data from DeFiLlama shows that more than $44 million has been stolen through at least a dozen separate exploits so far this month. The largest incident involved Humanity Protocol, which reportedly lost around $30 million after a private key compromise. Another major attack targeted the Syscoin Bridge, where attackers allegedly exploited a fake proof mechanism to steal approximately $8 million.
Aztec Connect originally launched in 2022 as a privacy-focused DeFi bridge built on Aztec's zero-knowledge rollup technology. However, the platform was deprecated in March of 2023 after the development team shifted its focus toward the next-generation Aztec Network. Deposits were halted and support for the older platform was effectively discontinued.
Aztec Labs made it clear that it no longer has administrative control over the Aztec Connect contracts. Because the smart contracts were designed to be fully immutable, the team cannot pause, upgrade, or modify them in response to security incidents.
