Aztec Connect, a deprecated decentralized finance platform, was drained of approximately $2.1 million on Sunday after an attacker exploited a flaw in its verification function. Aztec Labs confirmed the incident affected the platform's smart contract but stated that users and assets on the current Aztec Network remained unaffected. The exploit targeted an old version of Aztec's system launched in 2022 and deprecated in March 2023, highlighting persistent security risks in immutable smart contracts that retain accessible value even after active development has ended.
Attacker Exploited Verification and Settlement Mismatch
Crypto security firm BlockSec identified the root cause as a mismatch between how Aztec Connect verified transactions and how those transactions were settled on Ethereum. According to BlockSec, verified transactions on Aztec Connect's contract were "not effectively bound to the transaction set enforced by the ZK proof." This allowed the verification path and settlement logic on Ethereum "to interpret the transaction list differently."
The weakness enabled the attacker to place transactions where the contract credited value without properly validating it on Ethereum. Those credits created unbacked balances that could then be withdrawn. The attacker repeated this process seven times across seven different assets.
Seven Assets Stolen Including 909 ETH and 270,000 DAI
The stolen assets included 909 Ether, 270,000 Dai, 167 wrapped staked ETH, and several other cryptocurrencies. Aztec Labs said around $2.1 million had been transferred from the platform's smart contract. The exploit affected Aztec Connect, which launched in 2022 as a DeFi bridge and had deposits halted in March 2023 as the team shifted resources to the next-generation Aztec Network.
Immutable Contracts Prevented Admin Intervention
Aztec Labs stated: "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us." Crypto developer Param said Aztec Connect's smart contracts became "fully immutable" and could no longer be upgraded or paused. Without admin controls, the team could not stop withdrawals, patch verification logic, or freeze exposed balances after suspicious activity started.
June DeFi Exploits Totaled At Least $44 Million
At least $44 million has been stolen so far this month across multiple exploits, according to DeFiLlama data. The largest June incident was a private key compromise at Humanity Protocol, where $30 million was lost on June 8. The Syscoin Bridge also lost $8 million in a fake proof exploit the previous day. The current Aztec Network was not affected by the Aztec Connect exploit, according to the team.
FAQ
What caused the Aztec Connect exploit on Sunday?
An attacker exploited a flaw in Aztec Connect's verification function where verified transactions were not effectively bound to the transaction set enforced by the ZK proof, allowing the verification path and settlement logic on Ethereum to interpret the transaction list differently.
How much was stolen from Aztec Connect and what assets were taken?
Approximately $2.1 million was drained from Aztec Connect's smart contract, including 909 Ether, 270,000 Dai, 167 wrapped staked ETH, and several other cryptocurrencies across seven different assets.
