Aztec Connect Drained of $2.1 Million After Verification…

How Was Aztec Connect Drained?

Aztec Connect, a deprecated decentralized finance platform, was drained of around $2.1 million in crypto on Sunday after an attacker exploited a flaw in its verification function. Aztec Labs said it was “investigating a potential exploit affecting Aztec Connect,” adding that around $2.1 million had been transferred from the platform’s smart contract. The team said the incident did not affect users or assets on the current Aztec network. The exploit hit an old version of Aztec’s system rather than its current privacy-focused layer-2 network. Aztec Connect launched in 2022 as a DeFi bridge and was deprecated in March 2023, with deposits halted as the team shifted resources to the next-generation Aztec Network. The incident shows a recurring problem in decentralized finance: old contracts can remain live, immutable, and economically exposed even after a project has moved on. If value remains accessible, attackers can still search for weaknesses years after active development has ended.

What Went Wrong in the Verification Process?

Crypto security firm BlockSec said the attacker exploited a mismatch between how Aztec Connect verified transactions and how those transactions were settled on Ethereum. According to BlockSec, verified transactions on Aztec Connect’s contract were “not effectively bound to the transaction set enforced by the ZK proof.” That allowed the verification path and settlement logic on Ethereum “to interpret the transaction list differently.” The weakness gave the attacker a way to place transactions where the contract credited value without properly validating it on Ethereum. Those credits created unbacked balances that could then be withdrawn. The attacker repeated the process seven times across seven different assets. The stolen assets included 909 Ether, 270,000 Dai, 167 wrapped staked ETH, and several other cryptocurrencies. The exploit was not large compared with the biggest DeFi hacks of recent years, but its structure matters because it involved a zero-knowledge verification and settlement mismatch rather than a simple hot wallet theft.

Investor Takeaway

The Aztec Connect exploit is a reminder that deprecated infrastructure can still carry live financial risk. For investors and protocols, the key question is not whether a product is still actively marketed, but whether its contracts still hold assets or allow withdrawals.

Why Do Deprecated Contracts Remain A Security Risk?

Aztec Connect had already been wound down, but that did not remove the underlying smart contract risk. Once contracts become immutable, teams may have limited or no ability to pause activity, upgrade logic, or intervene after an exploit begins. Aztec Labs said: “Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.” That design can be viewed as a decentralization feature because users are not dependent on a centralized administrator. It can also become a security constraint when a legacy contract contains an undiscovered flaw. Without admin controls, the team cannot easily stop withdrawals, patch verification logic, or freeze exposed balances after suspicious activity starts. Crypto developer Param said Aztec Connect’s smart contracts became “fully immutable” and could no longer be upgraded or paused. “The incident is another reminder that abandoned DeFi contracts can still become targets years later,” they said. For DeFi users, that creates a due diligence problem. A platform may be deprecated, but the contracts can still exist onchain. Users who leave assets in old systems may be relying on code that is no longer maintained, no longer monitored with the same urgency, and no longer supported by active product teams.

What Does This Mean for DeFi Security?

The Aztec Connect exploit adds to a difficult month for crypto security. At least $44 million has been stolen so far this month across multiple exploits, according to DeFiLlama data. The largest June incident so far was a private key compromise at Humanity Protocol, where $30 million was lost on June 8. The Syscoin Bridge also lost $8 million in a fake proof exploit the previous day. The pattern shows that DeFi security risk is spreading across different failure types. Some losses come from compromised private keys. Others come from bridge verification flaws, proof validation issues, or contract logic that behaves differently under edge-case transactions. For privacy-focused and zero-knowledge systems, the Aztec Connect case may draw closer attention to the binding between proofs, transaction sets, and settlement execution. If a proof verifies one set of assumptions while Ethereum settlement logic processes another, attackers may find room to create balances that the system did not actually validate. The current Aztec Network was not affected, according to the team. Still, the exploit may increase pressure on DeFi projects to create clearer shutdown plans for old contracts, publish stronger user migration warnings, and monitor deprecated systems for longer than expected. The larger market lesson is straightforward. In DeFi, deprecation does not equal disappearance. As long as contracts remain callable and assets remain withdrawable, old infrastructure can still become an attack surface.