Aztec Exploited Twice in Three Days as Attackers Drain Over $4M

18-Jun-2026 Null TX

Aztec is dealing with something that no protocol wants to face, a second exploit within 72 hours.

What started as a $2.1 million breach on June 14 has now been followed by a separate $2 million attack three days later, targeting a different deprecated contract through the same fundamental flaw: compromised zero-knowledge proof verification.

Together, the two incidents have drained more than $4 million and raised uncomfortable questions about the long-tail risk of immutable legacy infrastructure that protocols can no longer control.

The Aztec Foundation confirmed the second incident in a statement, noting it was made aware of the exploit targeting a deprecated product that occurred on June 17, 2026.

The foundation was explicit that the affected product has no links to any smart contracts related to the current Aztec network or the AZTEC ERC-20 token, but the timing makes the reassurance a harder sell than it would otherwise be.

Aztec Exploited Twice in Three Days as Attackers Drain Over $4M

The First Exploit: Aztec Connect Drained on June 14

The sequence begins three days ago. Aztec again acknowledged that an attacker drained approximately $2.1 million from Aztec Connect on June 14, targeting a deprecated contract that had been shut down in 2023.

The attack vector was a vulnerability in the rollup proof verification system, a technically sophisticated entry point that required the attacker to understand how Aztec’s cryptographic architecture processed and validated proofs.

The assets stolen in that first attack included approximately 909 ETH, 270,000 DAI, 167 wstETH, and a mix of other assets. Aztec Labs confirmed after the fact that the contract was immutable and could not be paused, meaning once the attacker identified and executed the exploit, there was no emergency intervention available to stop the drain. The funds moved, and the team could only observe and document.

The immutability that was once a feature, signaling trustlessness and resistance to admin manipulation, became a liability the moment a vulnerability surfaced in code no one could touch.

Three Days Later, the Private Rollup Bridge Falls

If the first exploit raised eyebrows, the second one, arriving just 72 hours later, has raised the alarm considerably further.

Param ETH’s analysis details how this time the attacker targeted the Private Rollup Bridge, exploiting a critical function known as the “escape hatch”, a mechanism typically designed as a safety release valve for users to exit under specific conditions.

The attacker did not find a private key or exploit a reentrancy vulnerability. Instead, they constructed a specially crafted zero-knowledge proof, a fake proof that the contract’s verification logic accepted as valid. Once accepted, the contract released the funds as if the transaction were legitimate. Approximately 1,158 ETH worth around $2 million exited through that mechanism before the attack was identified.

The technical signature here is significant. A fake ZK proof that passes verification is not a brute-force attack or a social engineering play, it requires deep familiarity with how the proof system is structured and where its validation logic can be deceived. Whether the two exploits share a common attacker or methodology remains under investigation, but the fact that both targeted ZK proof verification within three days of each other is not easy to dismiss as coincidence.

Both Exploits Share the Same Root Vulnerability

Stepping back across both incidents, PeckShield’s monitoring and on-chain analysts draw a clear through-line: both exploits originated from flaws in how zero-knowledge proofs were verified, and both targeted bridge infrastructure rather than the core Aztec network itself.

The core protocol and the current AZTEC token remain unaffected, the Aztec Foundation has been clear on that point.

But that distinction, while technically accurate, does not fully resolve the confidence problem. Deprecated does not mean disconnected in the minds of users who see $4 million leave a protocol’s ecosystem in three days. Bridge exploits in particular have a history of triggering withdrawal cascades because they hit the infrastructure that users rely on to move funds in and out and once that trust erodes, it tends to move faster than any remediation plan.

What Immutable Contracts Mean for Legacy Risk

The Aztec incidents surface a tension that the broader DeFi ecosystem has not fully resolved. Immutable smart contracts offer genuine security guarantees, they cannot be altered by developers, rug-pulled by insiders, or quietly modified in ways that harm users. That architecture sits at the philosophical core of trustless finance.

But immutability also means that when a vulnerability exists in deprecated code, the team is left watching from the sidelines. Aztec Labs holds no admin keys over the affected systems. It cannot pause them, upgrade them, or redirect funds. The Aztec Foundation’s statement makes this explicit and it is not a deflection, it is simply the technical reality of how these contracts were designed.

The question the industry now has to sit with is how protocols responsibly manage the long-term risk of legacy infrastructure they no longer control. Sunsetting a product does not drain it of funds immediately, and as long as capital remains locked in deprecated contracts, the attack surface remains live.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!

Also read: Gold Price Analysis to Watch $4300 Support as a Key Price Event on the Radar
Next
WHAT'S YOUR OPINION?
Related News