A legacy smart contract tied to the now-defunct Aztec Connect protocol lost 909 ETH — roughly $2.1 million — in an exploit on June 14. The contract, known as RollupProcessorV3, was part of infrastructure that Aztec Labs shut down in March 2023 and labeled as deprecated. Because the code was immutable, the team had no way to intervene or recover the stolen funds.
A legacy contract and a $2.1 million hole
The drained contract belonged to Aztec Connect, a privacy-focused layer-2 system that Aztec Labs stopped supporting over a year ago. Despite the shutdown, users apparently left assets sitting on the contract. The exploit didn't touch Aztec's current network or any active products — it targeted abandoned infrastructure that was supposed to be inert. The attacker walked away with 909 ETH, valued at about $2.1 million at current prices.
Why the contract couldn't be saved
RollupProcessorV3 was written as an immutable contract, meaning no one — not even its creators — held admin keys to pause it or reverse transactions. Once deployed, the code was locked. That design choice, common in many DeFi projects to guarantee trustlessness, turned into a liability after the product was retired. Aztec Labs confirmed they had no way to block the attack or recover the money after it moved.
A bug in the zero-knowledge proof
The exploit itself stemmed from a flaw in the contract's ZK proof-verification logic. According to details shared by the team, the verification process failed to properly bind a verified proof to the specific transaction it was supposed to authorize. That gap let the attacker craft a proof that passed checks but allowed unauthorized withdrawals. The bug had apparently been dormant since the contract was written — it only became dangerous because the contract was still live and holding funds.
Lessons for defunct protocols
This incident is a reminder that deprecated smart contracts don't disappear. They sit on the blockchain, still running the code they were given, and any funds left inside remain vulnerable. Aztec Labs recommends users periodically audit their wallet addresses for assets stuck in abandoned protocols. They also say builders should design better sunset procedures — like automated withdrawal windows or pause mechanisms for retired contracts — so that end-of-life doesn't mean end-of-safety.
For now, the 909 ETH is gone, and the immutable contract that held it is still live, still vulnerable. The question hanging over the industry is how many more discontinued contracts are quietly holding user funds, waiting for the next bug to be found.
