Aztec Network lost more than $4 million across two separate exploits within three days, with attackers draining deprecated smart contracts that had been shut down years earlier but still held on-chain liquidity. The first hack hit Aztec Connect on June 14, taking $2.1 million in a mix of 909 ETH, 270,000 DAI, and 167 wstETH. Three days later, the Private Rollup Bridge was exploited for another $2.15 million, or 1,158 ETH.
Two separate but similar attacks
Both incidents targeted old contracts that were supposed to be inactive. The Aztec Connect contract was immutable — once deployed, it couldn’t be paused, patched, or upgraded. The Private Rollup Bridge had a vulnerable 'escape hatch' mechanism that allowed attackers to manipulate zero-knowledge proofs and trigger exit logic they shouldn’t have been able to use. Security firm CertiK Alert flagged the second exploit and identified the attacker’s wallet address.
The core Aztec network and the AZTEC token weren’t touched. The Aztec Foundation confirmed there’s no link between the deprecated products and the current network or token. The attacks didn’t involve stolen private keys or reentrancy bugs — they relied on flaws in the zero-knowledge proof verification logic, which accepted invalid or manipulated proofs.
Why funds were still sitting in old contracts
Users had been encouraged to pull their money out before Aztec Connect was shut down. But some liquidity still sat in the old smart contracts, likely forgotten or left behind. Because the contracts were immutable, there was no way to freeze them once the exploit started. The two attacks happened in quick succession and shared similar technical weaknesses, though investigators treat them as separate events.
The total loss — $4.25 million — is relatively small by crypto hack standards, but the fact that both attacks exploited contracts that were years old raises questions about how long leftover liquidity can stay exposed.
Aztec Network hasn’t announced any plans to reimburse affected users or whether it will pursue legal action. CertiK’s alert lists the attacker’s address, which could help track the funds, but no recovery efforts have been made public.
