Aztec has been exploited for a second time in under seven days, losing another $2.1 million. The latest incident, confirmed by blockchain security firm SlowMist, follows a near-identical breach earlier in the week. The back-to-back attacks have pushed total losses to more than $4 million and raised fresh questions about the safety of abandoned smart contracts.
Two hits in one week
SlowMist reported the second exploit on Tuesday, noting that the attack vector mirrored the first. Both incidents drained roughly $2.1 million worth of crypto from Aztec's protocol. The project had previously rolled out a fix after the initial breach, but the second exploit suggests the patch was incomplete or that additional vulnerable code remained live.
Aztec has not issued a statement since the second attack. The team's silence is worrying users who are now checking whether their funds are still at risk.
Deprecated contracts, persistent danger
Security researchers following the case point to a broader pattern: smart contracts that projects stop maintaining can stay vulnerable for years. Many teams move on to new versions or shut down without fully disabling old code, leaving a backdoor open for anyone who finds it.
“Once a contract is deprecated but still live on-chain, it's a ticking bomb,” one researcher told the publication. “The only safe way is to freeze or destroy it entirely.” Aztec's situation fits that description: the exploited contracts were part of an earlier version of the protocol that the team had stopped actively managing but never fully killed.
What Aztec can do now
The immediate path forward is clear: audit every contract still holding user funds, freeze or migrate those that are no longer maintained, and communicate a timeline to users. So far, the project has done none of those things publicly.
SlowMist has recommended that Aztec engage a third-party security firm to review all live contracts before any further transactions are processed. The same advice applies broadly across DeFi — projects that leave old code lying around are inviting the next exploit.
The unresolved question is whether Aztec will act before a third hit. Users are waiting for a concrete plan, not another promise.
