Attacker Drains $2.19M From Deprecated Aztec Connect

An attacker withdrew $2.19 million from deprecated Aztec Connect on June 14 by exploiting a proof-validation bug. Aztec Labs says it holds no admin keys and cannot intervene.

On June 14 an attacker withdrew about $2.19 million from Aztec Connect, a deprecated privacy-layer system, by exploiting a flaw in the platform’s proof verification logic.

Blockchain security firm CertiK flagged the transaction on social media and identified incomplete validation of submitted proof data. One contract function verified only the start of a submitted proof while token transfer instructions embedded later were not fully checked, allowing a crafted proof to authorize transfers.

The Aztec Foundation confirmed it was notified and clarified the breach does not affect the AZTEC ERC-20 token or any smart contracts on the current Aztec network. Aztec Connect was deprecated three years ago and remains live on-chain.

Aztec Labs said it is conducting an investigation but has no administrative control over the deprecated system and cannot pause or upgrade the deployed contracts. The lab posted: “Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.”

The theft followed an attack days earlier that removed roughly $1.3 million from legacy liquidity pools on the Solana-based Raydium platform. Data aggregators show about $43.93 million in recorded losses across exploits this month, a total that includes the Aztec Connect and Raydium incidents.

CertiK’s alert prompted on-chain tracing by analysts to follow the attacker’s fund flows. There has been no public claim of responsibility and no recovery of the stolen funds reported.

Deprecated contracts remain active on blockchains unless they are migrated or explicitly disabled. Without admin keys or upgrade mechanisms, developers cannot change those contracts once control is relinquished.

Articles by this author