Aztec Labs has confirmed that an attacker exploited a vulnerability in its long-deprecated Aztec Connect protocol on Ethereum, draining approximately $2.19 million worth of digital assets on
Aztec Labs has confirmed that an attacker exploited a vulnerability in its long-deprecated Aztec Connect protocol on Ethereum, draining approximately $2.19 million worth of digital assets on June 14, 2026.The incident occurred at approximately 12:26 UTC (block 25,315,715). The attacker, operating from the externally owned address 0x0f18…edd17 (previously funded via Tornado Cash), targeted the RollupProcessorV3 contract. The exploit comes amid a broader rise in smart contract attacks across the industry. Earlier this month, attackers exploited a hidden swap loophole in the ATM Token protocol on BNB Chain, resulting in the loss of approximately $243,500 and raising fresh concerns about overlooked contract vulnerabilities.
In a single sophisticated transaction, the exploiter executed unauthorized operations and withdrew 908.99 ETH (~$1.565 million), 270,513 DAI, 167.89 wstETH (~$357,000), along with smaller amounts of yvDAI, yvWETH, LUSD, and yvLUSD. Aztec Labs issued an official statement confirming the exploit and stressing that the affected system is completely separate from its current network. Security researchers responded rapidly CertiK flagged the suspicious transaction around 13:52 UTC.
We are investigating a potential exploit affecting Aztec Connect. ~$2.1m was transferred from the immutable smart contract in transaction:https://t.co/5WrfeR8bbJ
Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be…
— Aztec Labs (@AztecLabs_) June 14, 2026
According to security analyses, the root cause was a critical mismatch in the processRollup() function of the RollupProcessorV3 contract. The zero-knowledge proof verification logic and the Layer-1 settlement logic handled transaction data differently. This allowed the attacker to craft a malicious rollup proof using the numRealTxs parameter mismatch, inserting unbacked balances and bypassing deposit, signature, and withdrawal validations. The attacker reportedly used 14 batched rollup IDs (13277 to 13290) to extract funds from the Aztec Connect Router contract. The immutable and unpausable nature of the deprecated contract made the proof validation bypass possible.
Similar security weaknesses have recently been observed elsewhere in the DeFi sector. In a separate incident on Solana, an exploit involving dormant Raydium AMM V3 liquidity pools enabled attackers to manipulate abandoned pools and extract more than $1.34 million in assets.
The attack was executed through a specially crafted rollup submission that passed zk-proof verification while manipulating the transaction count processed by the settlement logic. As a result, the contract recognized balances that were never legitimately deposited, enabling the attacker to mint and withdraw assets from the protocol. The fraudulent rollup was finalized on-chain, after which the attacker transferred the extracted funds to attacker-controlled addresses through a series of transactions originating from the exploit transaction 0x074ec9…eeb1. The transaction effectively served as the entry point for the malicious rollup, triggering the proof-validation bypass and initiating the unauthorized fund withdrawals.
In its official statement on June 14, Aztec Labs clarified:
“Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.”
The team strongly emphasized that this exploit has zero impact on the current Aztec Network, its active smart contracts, or the AZTEC token. Users were reminded that they had been advised multiple times in the past to withdraw funds from the legacy system.
AZTEC token The exploit has had minimal impact on the AZTEC token. According to CoinMarketCap, as of June 15, 2026, 05:33 AM UTC, AZTEC is trading at approximately $0.01586, with a 24-hour price increase of around 5.1% – 5.3%. The token reached a 24-hour high of $0.01711 and a low of $0.01584. Over the past 7 days, it has shown a modest gain of roughly 0.7% – 0.8%. The token’s market capitalization stands at approximately $46.56 million (ranked around #480–#482 globally).
Key Statistics (as of June 15, 2026):
This incident is the latest example of attacks on “zombie contracts”, abandoned yet still funded legacy protocols that remain vulnerable long after official deprecation. Aztec Connect, originally launched in 2022 as a privacy-focused zk-rollup bridge, was deprecated in 2023. By 2024, all administrative controls had been relinquished.The event underscores key challenges in the blockchain space: ensuring complete end-to-end verification between proof systems and on-chain logic, maintaining rigorous security standards even for legacy upgrades, and executing clean deprecation with full fund migration.
The risks are not limited to legacy bridge protocols. Recent incidents such as the StablR exploit, which resulted in the unauthorized minting of millions of USDR and EURR tokens, demonstrate how flaws in token issuance and validation mechanisms can also threaten the stability of decentralized financial systems. Note on Recent Developments: The current Aztec Network continues to operate separately and has a planned fix for a critical bug in its Alpha v4 proving system scheduled for July 2026. Users have been advised to limit deposits until the upgrade is complete.
