Privacy-oriented Ethereum scaling project Aztec has suffered its second major exploit in less than a week, with an attacker draining approximately $2.15 million from a deprecated Private Rollup Bridge contract. The incident follows a separate $2.1 million breach of the also-retired Aztec Connect earlier this month, intensifying scrutiny of immutable smart contracts left on-chain after projects shut down.
Blockchain data shows three suspicious transactions moving roughly 1,158 ETH, 150,000 DAI, and 0.47 renBTC from the bridge contract. Security researcher Cos (@evilcos) and blockchain security firm PeckShield traced the attack to an abuse of the RollupProcessor’s “Escape Hatch” mechanism — a safety feature intended to let users submit rollup proofs during outages. The attacker allegedly crafted proofs with manipulated public output values that the verifier accepted, releasing assets directly from custodial reserves. Stolen funds were later routed to wallets connected to exchange HitBTC.
The Aztec Foundation and Aztec Labs quickly issued statements distancing the current network from the incident. They stressed that the affected product was an immutable Stage 2 rollup deprecated in 2022, with no admin keys or upgrade controls, and that it has “no links” to any smart contracts associated with the active Aztec network or the AZTEC ERC‑20 token. Both entities are investigating and will provide further updates.
The event reignites concerns about the safety of deprecated DeFi infrastructure. While the financial damage is modest compared to historic bridge exploits, the repeated targeting of legacy contracts — even after official discontinuation — undermines confidence and highlights the lingering risks posed by immutable code that remains live on Ethereum. Analysts warn that trust becomes a critical casualty when multiple incidents strike a single ecosystem in rapid succession.
