A blockchain security firm has traced a $2.19 million exploit to a deprecated legacy contract once used by Aztec Connect. SlowMist, which analyzed the incident, said the active Aztec network was never compromised. The attack instead hit an old, immutable contract that remained on-chain after the product was sunset.
The target: a retired contract
Aztec Connect built privacy tools on Ethereum, but some of its early infrastructure was later retired. Those old contracts were designed to be immutable — no one can patch or remove them. SlowMist found that the attacker specifically targeted one of those unchangeable contracts, not anything currently running in the Aztec ecosystem.
The exploit netted $2.19 million. Because the contract can't be altered, the code that made the attack possible will remain live on-chain indefinitely.
Why immutable code is a trap
Immutable smart contracts were once sold as a feature — trustless and permanent. But that permanence becomes a liability when a project moves on. The contract still exists, still holds some value or logic, and still responds to calls. SlowMist's report warns that abandoned infrastructure is a growing attack surface across DeFi.
Users who interact with old contracts risk losing funds even if the protocol behind them is long gone. The attack on Aztec Connect's legacy system shows that any leftover code can become bait.
What users and developers need to do
SlowMist urged users to treat old contracts with caution. Before interacting with any legacy system, verify whether the protocol still supports it. A contract that looks dead might still be exploitable.
For developers, the firm recommends building sunset plans into protocol design from the start. That means adding clear warnings inside the interface, setting withdrawal windows so users can pull funds out before a contract is retired, and keeping monitoring active even after a product is shut down. Emergency procedures should also be in place to freeze or redirect assets if something goes wrong.
Aztec Connect has not publicly commented on the exploit. The affected contract remains live, and the $2.19 million hasn't been recovered.
