An attacker stole roughly $2.1 million from a deprecated Aztec Connect smart contract Sunday morning, three years after the privacy bridge was shut down. The exploit hit the RollupProcessorV3 contract at about 8:26 a.m. ET, draining funds by abusing a flaw in how the contract verified zero-knowledge proofs.
The Deprecated Contract
Aztec Connect was a privacy-focused bridge that let users move funds between Ethereum and Aztec's confidential layer. The project shut down in early 2022, and the contract in question had been marked as obsolete. Despite being inactive, it still held funds. The attacker targeted that old code, not any active Aztec product.
How the Exploit Worked
The vulnerability lay in the contract's validation of zero-knowledge proofs — cryptographic proofs that allow one party to prove something without revealing the underlying data. The attacker found a way to submit a proof that the flawed contract accepted even though it wasn't valid. That opened the door to drain the $2.1 million.
Blockchain security firms flagged the incident shortly after it happened. The stolen assets include ETH and other tokens that had been sitting idle in the retired contract. Aztec Labs, the development team behind the protocol, has not yet commented publicly on the exploit or any recovery plans.
The attack comes as a reminder that old smart contracts can remain vulnerable long after they're decommissioned if funds aren't withdrawn.
What Happens Next
It's unclear whether the stolen funds can be traced or frozen. The attacker moved the money shortly after the exploit, and investigators are likely analyzing the transaction trail. Aztec Labs may need to coordinate with exchanges or law enforcement to try to recover the assets. For now, the RollupProcessorV3 contract remains empty — and the attacker walks away with $2.1 million.
