A deprecated smart contract tied to Aztec Connect—the RollupProcessorV3—has been exploited for roughly $2.19 million. The attacker walked away with ETH, DAI, and wstETH, according to a post-mortem released by blockchain security firm SlowMist. The vulnerability was a boundary gap between transaction counts and decoded slots in the contract’s decoder, and because the contract was already deprecated and immutable, no one could pause or patch it.
How the exploit worked
The bug sat in the decoder logic. SlowMist’s analysis found a mismatch: the system counted transactions one way while understanding them another. That gap let the attacker craft inputs that bypassed checks, draining funds that should have been protected. The contract, RollupProcessorV3, was part of Aztec Connect—a privacy layer for Ethereum—but it had been marked as deprecated long before the incident.
Why the contract couldn’t be stopped
Deprecated or not, the contract stayed on-chain. And it held real assets. Because it was immutable—no upgrade key, no pause function—once the exploit started, there was no kill switch. SlowMist noted that the attack didn’t target any active Aztec Connect system; it hit a leftover piece of infrastructure that still had value. That’s what makes this a “zombie” contract: dead to developers, alive to attackers.
Zombie contracts and the broader risk
This isn’t the first time an abandoned or deprecated contract has been picked clean. Such code remains accessible and often holds tokens that users haven’t withdrawn. The exploit amount here is relatively small by DeFi standards—but the structure matters. It’s a reminder that every contract ever deployed, even one replaced years ago, can become a target if it retains funds. SlowMist didn’t name a specific attacker or group, and investigators are still working.
On-chain fallout
The stolen assets moved through several addresses after the exploit. SlowMist’s report traced the funds but didn’t indicate any recovery process. For users who still had money in the deprecated contract, the takeaway is blunt: withdraw from any old, immutable contract as soon as it’s replaced. Leaving tokens behind is inviting this kind of risk. As of now, no further official response from the Aztec team has been published, and the contract code remains live.
