A security breach targeting Aztec Connect smart contracts has led to the drainage of digital assets valued at approximately 2.1 million dollars. According to on-chain security firm BlockSec,
A security breach targeting Aztec Connect smart contracts has led to the drainage of digital assets valued at approximately 2.1 million dollars. According to on-chain security firm BlockSec, the attacker managed to seize 909 ETH, 270,000 DAI, and 167 wstETH. The incident is especially notable due to the vulnerability residing in a privacy bridge that had been out of service for three years, and, according to statements from Aztec Labs, there is now no mechanism in place to intervene within the system.
Prior to being decommissioned in March 2023, Aztec Connect operated as a zk rollup bridge, enabling users to interact with decentralized finance platforms such as Aave and Lido. By March 2024, Aztec Labs had completely shut down its own sequencer infrastructure. Aztec is known for focusing on smart contracts that prioritize user privacy.
Mini glossary: A zk rollup is a scaling solution that batches many transactions off-chain and submits a summary to the main chain. Zero knowledge proofs are cryptographic methods that let a transaction be verified as legitimate without disclosing its details.
Analysis by BlockSec’s Phalcon platform indicates the flaw stemmed from a mismatch between the batch of validated transactions and the L1 consensus process. Security firm CertiK noted that the issue was linked to an incomplete verification of proof data. In essence, a contract function only checked the initial part of the proof, leaving token transfer instructions in another segment unverified. This allowed the attacker to manipulate the withdrawal process and extract funds.
Aztec Labs clarified that Aztec Connect was discontinued three years ago and no administrative keys or control functions remain, meaning the protocol can neither be halted nor updated.
Aztec Labs confirmed they are investigating the incident but reiterated their inability to intervene directly. In a separate statement, the Aztec Foundation stressed that the breach does not affect the AZTEC ERC 20 token or any contracts tied to the current Aztec network, explaining that today’s network focuses solely on privacy-centric smart contracts.
The Aztec Foundation emphasized that the event is confined to legacy Aztec Connect infrastructure and poses no risk to the existing Aztec network or AZTEC ERC 20 token contracts.
When Aztec Labs discontinued the bridge, it relinquished all administrative control as part of its commitment to privacy. However, this decision has now proven problematic, as it leaves no option to patch security flaws discovered later on.
Data from DeFiLlama put the total value locked in Aztec Connect contracts at around 2.15 million dollars before the attack, suggesting that nearly all locked funds were compromised in the exploit.
AssetAmountETH909DAI270,000wstETH167Total value lockedApproximately 2.15 million dollarsThe report highlights that the remaining assets in the contracts at the time of the attack were not actively monitored. This reopens the debate around the risks of leaving funds in outdated contracts, where security entirely depends on the original code base, even if the project has since moved forward.
As of mid June, total losses from similar exploits in the crypto ecosystem have reached 43.93 million dollars. Earlier in the month, Gnosis Pay and TesseraDAO faced comparable breaches, with TesseraDAO losing 2.5 million dollars on the BNB Chain. These incidents underline that discontinued platforms remain attractive targets for attackers.
The post 2.1 million dollars drained from obsolete Aztec Connect contracts! What does this reveal about DeFi security? appeared first on COINTURK NEWS.
