- Legacy Aztec Network contracts were drained of more than $4 million in three days.
- The attacks exploited flaws in zero-knowledge proof verification logic.
- The Aztec core network and AZTEC token are not affected by these vulnerabilities.
Aztec’s legacy infrastructure has been hit by a coordinated wave of attacks, resulting in losses exceeding $4 million in just three days.
The exploits targeted abandoned smart contracts that had already been shut down years ago but still retained on-chain liquidity.
Despite being classified as inactive and immutable, the contracts remained accessible to attackers who exploited vulnerabilities in the zero-knowledge proof verification logic.
While the attacks did not impact the existing Aztec Network or its AZTEC token, they did expose long-term risks associated with retired DeFi systems that still exist on the Internet. Ethereum No active maintenance or upgrade paths.
First hack: Aztec Connect drained of $2.1 million
the The first incident It happened on June 14, when attackers exploited the Aztec Connect protocol, a deprecated privacy-focused bridge that has been officially retired after retirement.
The contract was already considered inactive, but it still contained funds remaining.
The attacker was able to drain approximately $2.1 million in digital assets, including approximately 909 ETH, 270,000 DAI, and 167 wstETH, along with other smaller holdings.
The exploit was linked to flaws in the way verification of collected evidence was handled, allowing invalid or tampered proofs to be accepted as legitimate.
What made the situation more dangerous was the nature of the contract itself.
Aztec Connect is described as immutable, meaning it cannot be paused or patched once deployed.
Although users were previously encouraged to withdraw funds before the shutdown, the remaining balance became an easy target for exploitation years later.
Security teams reviewing the incident noted a breakdown in the relationship between zero-knowledge proof validation and on-chain settlement logic.
In simple terms, the system accepts proofs that do not correctly match the underlying transaction state, allowing the attacker to make unauthorized withdrawals.
Second attack: Private Rollup Bridge exploit for $2.15 million
After only three days, Second exploitation Hit another ancient system known as the Special Cumulative Bridge.
This contract was also part of Aztec’s older infrastructure and was deprecated after the transition away from previous block designs.
In this case, the attackers drained approximately 1,158 ETH, worth approximately $2.15 million at the time of the incident.
The method used was different in implementation but similar in technical root cause.
Instead of directly manipulating withdrawals through key directory mismatches, the attacker took advantage of a weak “escape hatch” mechanism built into the bridge’s design.
By providing a specially crafted zero-knowledge proof, the attacker was able to trigger exit logic from the contract.
The system incorrectly validated the proof and released funds without proper verification of key state transitions.
This allowed the attacker to extract liquidity in one coordinated sequence.
As with the previous vulnerability, this hack did not involve private key compromise or re-entry vulnerabilities.
Instead, it highlighted deeper issues with how proof validation is structured in legacy pooling systems, especially when contracts remain permanently active on-chain after they officially expire.
Response from Aztec and security companies
Following both incidents, Aztec Labs and the Aztec Foundation confirmed that the affected systems were deprecated products without any connection to the existing Aztec network or the AZTEC token ecosystem.
The Aztec Foundation has been informed of a potential exploit targeting a deprecated product that occurred on June 17, 2026. There are no links between this product and any smart contracts related to the existing network or the AZTEC ERC20 token.
The product has been neglected for 4 years… https://t.co/kANAIuw8HF
– Aztec Foundation (@aztecFND) June 18, 2026
They stressed that neither contract can be upgraded, paused, or controlled, as both are designed to be immutable upon deployment.
Security company CertiK Alert too The Private Rollup Bridge exploit has been flaggedIdentify the attacker’s address and confirm the movement of funds associated with a specific Ethereum transaction.
Their analysis is consistent with other reviews, suggesting that the vulnerability stems from flaws in zero-knowledge proof verification rather than traditional smart contract bugs.
Aztec representatives also clarified that the Private Rollup Bridge and Aztec Connect incidents were separate events, although they occurred within a short time frame and shared similar technical vulnerabilities.
