A dormant smart contract from the deprecated Aztec Connect privacy bridge has been exploited for approximately $2.1 million, underscoring the persistent danger of old DeFi infrastructure. BlockSec's Phalcon monitoring system first flagged the suspicious transaction, which drained 909 ETH, 270,000 DAI, and 167 wstETH from the contract.
The root cause, according to CertiK and BlockSec, was a mismatch in validation: one contract function only checked the beginning of submitted proof data, leaving token transfer instructions elsewhere unverified. This allowed the attacker to manipulate withdrawals without triggering full proof verification. Aztec Labs confirmed it has no ability to pause or upgrade the contract, stating, “Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system.” The Aztec Foundation later added that the incident is unrelated to the current AZTEC ERC-20 token or the new Aztec network focused on private smart contracts.
The attack highlights a fundamental DeFi trade-off: while immutability removes trust in admin keys, it also eliminates emergency response options. Old contracts like Aztec Connect, which held a total value locked of $2.15 million before the exploit, remain live and funded on-chain indefinitely. The event pushed cumulative June exploit losses to nearly $44 million, according to DeFiLlama, raising fresh calls for structured shutdown plans that include repeated user warnings, withdrawal deadlines, and continuous monitoring—even after a project ends.
