Second $2.1M Exploit Hits Aztec in Less Than a Week

Deprecated Aztec infrastructure suffered a second exploit within days, with the private rollup bridge drained of 1,158 ETH, 150,000 DAI and 0.46 renBTC — roughly $2.15 million. SlowMist co-founder Cos said his preliminary analysis found the attacker used a false rollup proof to trick the protocol into releasing assets from its reserves to the attacker’s address.

Aztec Labs confirmed roughly $2 million was moved from an immutable smart contract tied to a payment product deprecated in 2022, noting the team held no admin keys or ability to pause transactions. The company said this incident is separate from the $2.1 million taken from Aztec Connect’s smart contract on Sunday; Aztec Connect was deprecated in March 2023, with deposits halted as the team shifted resources to the next‑generation Aztec Network.

The two Aztec exploits, together with $1.3 million stolen from decentralized exchange Raydium earlier in June, have renewed concerns about abandoned smart contracts. "Old contracts continue to be bug bounties available to any hackers.

aztec, exploit, rollup bridge, eth, dai, renbtc, rollup proof, immutable contract, deprecated contract, raydium