Aztec Network loses over $4 million in three days to two subsequent hacks

• Legacy Aztec Network contracts were drained of over $4M in three days.
• Attacks exploited flaws in zero-knowledge proof verification logic.
• The core Aztec network and AZTEC token were not affected by the exploits.

Aztec’s legacy infrastructure has come under a coordinated wave of attacks, leading to losses that crossed $4 million within just three days.

The exploits targeted deprecated smart contracts that had already been shut down years earlier but still held on-chain liquidity.

Despite being labelled as inactive and immutable, the contracts remained accessible to attackers who exploited weaknesses in zero-knowledge proof verification logic.

While the attacks did not affect the current Aztec network or its AZTEC token, they exposed long-standing risks tied to retired DeFi systems that continue to exist on Ethereum without active maintenance or upgrade paths.

First breach: Aztec Connect drained of $2.1 million

The first incident occurred on June 14, when attackers exploited the Aztec Connect protocol, a deprecated privacy-focused bridge that had been officially shut down after its retirement phase.

The contract was already considered inactive, yet it still contained residual funds.

The attacker managed to drain approximately $2.1 million in digital assets, including around 909 ETH, 270,000 DAI, and 167 wstETH, alongside other smaller holdings.

The exploit was linked to flaws in the way rollup proof verification was handled, allowing invalid or manipulated proofs to be accepted as legitimate.

What made the situation more critical was the nature of the contract itself.

Aztec Connect was described as immutable, meaning it could not be paused or patched once deployed.

Even though users had previously been encouraged to withdraw funds before shutdown, the remaining balance became an easy target for exploitation years later.

Security teams reviewing the incident pointed to a breakdown in the relationship between zero-knowledge proof validation and on-chain settlement logic.

In simple terms, the system accepted proofs that did not correctly match the underlying transaction state, allowing the attacker to trigger unauthorised withdrawals.

Second attack: Private Rollup Bridge exploited for $2.15 million

Just three days later, a second exploit hit another legacy system known as the Private Rollup Bridge.

This contract was also part of Aztec’s older infrastructure and had been deprecated following the transition away from earlier rollup designs.

In this case, attackers drained roughly 1,158 ETH, valued at close to $2.15 million at the time of the incident.

The method used was different in execution but similar in technical root cause.

Instead of directly manipulating withdrawals through basic proof mismatch, the attacker leveraged a vulnerable “escape hatch” mechanism embedded in the bridge design.

By submitting a specially crafted zero-knowledge proof, the attacker was able to trigger the contract’s exit logic.

The system incorrectly validated the proof and released funds without proper verification of the underlying state transitions.

This allowed the attacker to extract liquidity in a single coordinated sequence.

Like the earlier exploit, this breach did not involve private key compromise or reentrancy vulnerabilities.

Instead, it highlighted deeper issues in how proof validation was structured in legacy rollup systems, particularly when contracts remain permanently active on-chain after being officially sunset.

Response from Aztec and security firms

Following both incidents, Aztec Labs and the Aztec Foundation confirmed that the affected systems were deprecated products with no connection to the current Aztec network or AZTEC token ecosystem.

They emphasised that neither contract could be upgraded, paused, or controlled, as both were designed to be immutable at deployment.

Security firm CertiK Alert also flagged the Private Rollup Bridge exploit, identifying the attacker’s address and confirming the movement of funds tied to a specific Ethereum transaction.

Their analysis aligned with other reviews, suggesting that the vulnerability stemmed from flaws in zero-knowledge proof verification rather than conventional smart contract bugs.

Aztec representatives also clarified that the Private Rollup Bridge and Aztec Connect incidents were separate events, even though they occurred within a short timeframe and shared similar technical weaknesses.

The post Aztec Network loses over $4 million in three days to two subsequent hacks appeared first on CoinJournal.