TL;DR:
Aztec Connect, a decentralized finance platform discontinued since March 2023, suffered the theft of approximately $2.1 million in cryptocurrencies. The attack exploited a flaw in the verification function of its smart contract, which remained active and immutable despite having been abandoned more than three years ago.
Aztec Labs published on X that it was investigating a potential exploit on Connect and confirmed that the funds transferred from the contract did not affect users or assets on the current Aztec network. However, the company clarified that it does not hold the administrative keys over the system and that it cannot be paused or updated.
We are investigating a potential exploit affecting Aztec Connect. ~$2.1m was transferred from the immutable smart contract in transaction:https://t.co/5WrfeR8bbJ
Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be…
— Aztec Labs (@AztecLabs_) June 14, 2026
Security firm BlockSec explained the attack mechanism: the Aztec Connect contract presented a discrepancy between how it verified transactions and how it settled them on Ethereum. Verified transactions were not effectively linked to the set of operations required by the zero-knowledge proof, which allowed the verification logic and the settlement logic to interpret the transaction list differently. This enabled the attacker to introduce transactions in which the contract credited value without validating it on the network, generating unbacked balances that could then be withdrawn. The operation was repeated seven times across seven different assets.
Among the stolen assets were 909 ETH, 270,000 DAI, 167 wsETH and other minor cryptocurrencies. Security firm CertiK documented part of the movements linked to the incident.
The developer known as “Param” noted that Aztec Connect’s smart contracts became fully immutable after deprecation and could not be updated or stopped. “The incident is another reminder that abandoned DeFi contracts can still be targets years later,” he stated.
June is proving to be an especially aggressive month for security in the crypto industry. According to DeFiLlama, at least 12 separate attacks have accumulated losses exceeding $44 million so far this month. The largest was the private key theft at Humanity Protocol, resulting in losses of around $30 million. One day earlier, Syscoin Bridge had suffered the theft of $8 million through a false proof exploit.
Aztec Network, the current version of the protocol, is a layer-2 rollup focused on privacy through zero-knowledge proofs on Ethereum. Connect was its previous version, launched in 2022 as a DeFi bridge and replaced the following year.
