The exploit involved the theft of 1,158 ETH, 150,000 DAI, and 0.46 renBTC through a falsified rollup proof that allowed assets to be released from the protocol's reserves. Aztec Labs said the affected smart contract belonged to an immutable payment product that was deprecated in 2022 and cannot be paused or modified.
Aztec Hit by Second Multi-Million Dollar Exploit
Deprecated infrastructure from privacy-focused Ethereum layer-2 project Aztec has been exploited for a second time in less than a week. The latest attack occurred on Thursday and resulted in the theft of approximately $2.15 million worth of digital assets.
According to preliminary findings that were shared by SlowMist co-founder Cos, the attacker managed to drain 1,158 Ethereum (ETH), 150,000 Dai (DAI), and 0.46 renBTC by exploiting Aztec’s deprecated private rollup bridge. The attacker reportedly used a falsified rollup proof that tricked the protocol into releasing assets from its reserves to an address under the attacker’s control.
Aztec Labs confirmed the exploit and clarified that the affected smart contract belonged to an old payment product that was deprecated in 2022. The company explained that the contract is immutable, which means that it cannot be modified, paused, or controlled by the team. Aztec Labs also said that it no longer holds any administrative keys capable of intervening in the contract’s operation.
The incident follows another exploit that occurred just days earlier, when attackers stole approximately $2.1 million from Aztec Connect, a privacy-focused rollup product that was officially deprecated in March of 2023. At the time, Aztec halted deposits and shifted its development efforts toward its next-generation Aztec Network. Despite being discontinued, the smart contract still held legacy user funds, which created an opportunity for attackers to exploit vulnerabilities.
The back-to-back incidents only worsened concerns about the risks posed by outdated blockchain infrastructure. Security researchers warned that deprecated smart contracts often remain accessible on-chain indefinitely, even after development teams stop supporting them. Because these contracts can still contain valuable assets, they may become attractive targets for hackers searching for overlooked vulnerabilities.
The concerns extend beyond Aztec. Earlier this month, decentralized exchange Raydium also suffered a security incident involving legacy infrastructure. Risk analysis platform Blockful recently warned that old contracts effectively become open bounties for hackers once projects cease maintaining them.
SlowMist also mentioned these concerns in its post-mortem analysis, as legacy assets left inside deprecated contracts can create long-term security exposure. The cybersecurity firm advised projects to implement structured asset migration plans when retiring products, to ensure that funds are removed from outdated contracts and transferred to newer infrastructure.
