news

Aztec Suffers Second $2.1M Exploit in Less Than a Week, Raising Fresh Concerns Over Legacy Smart Contracts

Nahid
Published: June 18, 2026
6 min read
Aztec Suffers Second $2.1M Exploit in Less Than a Week, Raising Fresh Concerns Over Legacy Smart Contracts

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Make us preferred on Google

Summary:

  • Deprecated Aztec infrastructure has suffered a second exploit in less than a week, with attackers stealing around $2.15 million.
  • Security researchers at SlowMist said the attacker used a false rollup proof to withdraw funds from an old payment protocol.
  • Aztec Labs confirmed the incident but said the affected product was discontinued in 2022 and cannot be paused or upgraded because it is fully immutable.
  • The latest exploit is separate from the $2.1 million Aztec Connect hack reported just days earlier.
  • Researchers say abandoned smart contracts that continue to hold assets remain attractive targets for attackers and should be migrated whenever possible.

Privacy-focused Ethereum Layer-2 project Aztec has suffered another multimillion-dollar exploit, marking the second attack against its deprecated infrastructure in less than a week and drawing renewed attention to the long-term security risks of abandoned smart contracts. According to preliminary findings shared by SlowMist co-founder Cos, attackers drained approximately 1,158 ETH, 150,000 DAI, and 0.46 renBTC, with the total value reaching roughly $2.15 million at the time of the attack. 

Source

Based on SlowMist's initial analysis, the attacker allegedly crafted a false rollup proof, allowing the protocol to accept an invalid withdrawal request. Once the proof was accepted, the smart contract released assets from its reserves directly to the attacker's address. Although investigators continue to analyze the exploit, the early assessment suggests the attack targeted weaknesses in an older version of Aztec's infrastructure rather than its current development efforts. Shortly after reports of the exploit surfaced, Aztec Labs confirmed the incident through an official statement. The team explained that approximately $2 million had been removed from an immutable smart contract connected to a payment product launched in 2021 and retired the following year. Importantly, Aztec emphasized that it no longer has administrative control over the affected contracts.

"We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021… This is a separate incident from the exploit on the depreciated Aztec Connect product that occurred on June 14, 2026." Source

Because the protocol was designed as an immutable system, the development team cannot freeze assets, pause transactions, or deploy emergency upgrades. That architectural choice reflects a common principle in decentralized finance, where protocols are intentionally built without centralized control. However, incidents like this also highlight the challenges that arise when vulnerabilities are discovered years after a protocol has been retired. Aztec further clarified that this exploit is entirely separate from the $2.1 million attack against Aztec Connect, another privacy-focused rollup product, stopped accepting deposits in March 2023 as the team shifted its attention toward building the next-generation Aztec Network. Despite being discontinued, the protocol still contained legacy user assets inside immutable contracts, making it a viable target for attackers.

Old smart contracts continue to attract attackers

The latest exploit has added momentum to an ongoing discussion across the blockchain industry about the hidden risks associated with deprecated smart contracts. Although projects may stop maintaining older protocols, those contracts often remain permanently deployed on public blockchains. If they continue holding funds, attackers have every reason to keep searching for overlooked vulnerabilities. Risk analysis platform Blockful highlighted exactly this concern following the recent attacks.

"Old contracts continue to be bug bounties available to any hackers. With protocols removing their responsibility to maintain them, they can become even more tempting, because fewer people and companies will go after the theft.Source

The company also provided its own assessment of the earlier Aztec Connect exploit, explaining that the vulnerability involved the validation process for zero-knowledge proofs. According to Blockful, only part of the transaction payload underwent verification, allowing attackers to manipulate transaction data and create fraudulent withdrawals after bypassing the incomplete validation process. While the two Aztec incidents involved different deprecated products, they reinforce a broader industry trend. Earlier this month, decentralized exchange Raydium also experienced an exploit involving older infrastructure, resulting in losses estimated at approximately $1.3 million. Together, these incidents demonstrate that software does not automatically become safe simply because development has ended. On public blockchains, smart contracts continue operating exactly as they were originally deployed unless users voluntarily move their assets elsewhere. That permanence is one of blockchain's defining features, but it also means vulnerabilities can remain exploitable years after active development has stopped.

Legacy assets remain a long-term security challenge

Following the first Aztec Connect exploit, SlowMist published a detailed post-mortem examining how attackers successfully targeted deprecated infrastructure. According to the cybersecurity firm's analysis, the exploited contracts continued holding legacy assets long after the protocol had been discontinued. Although users could no longer actively use the service as intended, funds remaining inside immutable contracts continued to exist on-chain without the protection of ongoing maintenance or security updates. SlowMist concluded that this creates an ongoing attack surface for malicious actors. Attackers increasingly examine abandoned infrastructure where vulnerabilities may have gone unnoticed for years. The firm recommended that blockchain projects carrying legacy contracts should organize structured asset migration plans whenever possible. Moving remaining assets into newer systems can reduce the amount of value exposed through deprecated contracts and limit opportunities for future attacks. For projects built around immutable architecture, however, such migrations require careful planning and active participation from users before support ends. Once administrative control has been removed, development teams often have little ability to intervene if vulnerabilities are discovered later.

The latest Aztec exploit illustrates that challenge clearly. Although Aztec Labs confirmed the incident and continues investigating alongside security researchers, the affected contracts themselves cannot be modified because they were intentionally designed without upgrade mechanisms. That distinction also serves as an important reminder for users. A protocol being labeled "deprecated" does not necessarily mean every asset has already been withdrawn. If funds remain locked inside old contracts, those contracts may continue carrying financial risk long after development has ended. As decentralized finance continues to mature, the industry's attention is expanding beyond newly launched protocols toward infrastructure built several years ago. Recent incidents suggest that legacy smart contracts deserve the same level of security awareness as actively maintained platforms, especially when they continue safeguarding significant amounts of user funds.

 

Related Topics

#Aztec#Aztec Network#Exploit#Crypto Hack

About the Project

Crypto News

About the Author

Nahid

Nahid

Nahid is a contributor at CotiNews from Bangladesh, covering developments across the COTI ecosystem. His work focuses on breaking down complex updates, technical concepts, and ecosystem news into clear, accessible stories for a wider audience.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.