← Aztec Connect — Deprecated Bridge Double Exploit (June 2026)1 decision on this page
Audit log
Every state-changing event for Aztec Connect — Deprecated Bridge Double Exploit (June 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.
- #1publishby system:backfill2026-07-02 12:04:10ZScore: ? → ? (no score change)anchoranchored
- chain
- ●mainnet-betaslot 430,303,095
- sig
9cpEn1kHZkwp…NBsB63hAexplorer ↗- hash
Az9oQH3HQpNT…hX3tr4rWsha256 → base58
verifying row…full verify ↗canonical bytes (19278 B) ▸
{"actor":"system:backfill","investigation_id":"f9f2e910-49a9-43d3-aaca-816e3a7b3993","kind":"publish","page_slug":"aztec-connect-deprecated-bridge-double-exploit-june-2026","published_at":"2026-07-02T12:04:09.899Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Aztec Connect — Deprecated Bridge Double Exploit (June 2026)","sections":[{"content":"Aztec Connect was a zero-knowledge rollup bridge on Ethereum developed by Aztec Labs that enabled private DeFi transactions. The product was deprecated in March 2023, with sequencer operations formally ceasing in March 2024. In April 2024, Aztec Labs renounced all administrative roles and upgrade authority over the contracts on-chain, following approximately one year of advance notice to users. The contracts became fully immutable at that point, meaning no entity retained the ability to pause, upgrade, or patch them. A separate, older product — the Aztec Private Rollup Bridge — was sunset even earlier, in 2021-2022. Both products operated on Ethereum mainnet and are entirely distinct from the current Aztec Network and its associated AZTEC ERC-20 token.","heading":"Background: Aztec Connect and Deprecation","severity":"low","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"}]},{"content":"At approximately 12:26 UTC on June 14, 2026, an attacker drained approximately $2.19 million from the Aztec Connect rollup contract at address 0xFF1F2B4ADb9dF6FC8eAFecDcbF96A2B351680455 in a single transaction. Assets extracted included approximately 909 ETH (roughly $1.6 million), 270,513 DAI, 167.89 wrapped staked ETH (wstETH, roughly $357,000), and smaller amounts of yvDAI, yvWETH, LUSD, and yvLUSD. According to Aztec Labs' post-mortem, the vulnerability arose from a mismatch between the contract's proof verification logic and its settlement logic: the validity proof accepted groups of 32 transaction rows, but the settlement code only acted on the first numRealTxs rows. By submitting rollups with numRealTxs=1 but including 2 rows, the attacker caused the proof to validate both rows while settlement processed only row 0; row 1 deposits created fake internal balances without collecting actual funds, which the attacker then withdrew. The extracted funds were subsequently moved through a chain of disposable wallets: 0x7ec9...06db to 0xc431...c1f5 to 0x0af7...9912, then to a high-volume service contract at 0xd90e...f31b. Because Aztec Labs had renounced all admin keys, the contract could not be paused or patched during or after the attack.","heading":"First Exploit: Aztec Connect Proof Mismatch (June 14, 2026)","severity":"critical","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Connect Drained of $2.1M Through Deprecated Contract Three Years After Shutdown — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/aztec-connect-deprecated-contract-exploit-2-1m-zk-proof"},{"credibility":2,"name":"Aztec Connect's abandoned smart contract exploited for $2M three years after shutdown — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect Contracts in Ethereum Exploit — The Merkle News","type":"news_article","url":"https://themerkle.com/attacker-drains-2-1-million-from-deprecated-aztec-connect-contracts-in-ethereum-exploit/"}]},{"content":"Beginning at approximately 04:00 UTC on June 15, 2026, a second wave of transactions targeting the same Aztec Connect vulnerability extracted approximately $88,000 in residual value from leftover DeFi bridge positions, spread across 14 transactions. This second attack appears to have been carried out by a different actor taking advantage of remaining funds after the primary exploit. Aztec Labs described this as part of the same root-cause vulnerability. Combined with the June 14 attack, the total loss to the Aztec Connect contract was approximately $2.27 million.","heading":"Second Attack: Residual Drain on Aztec Connect (June 15, 2026)","severity":"high","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Connect Exploit Drains $2.1M from Deprecated Ethereum Bridge — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/15/aztec-connect-exploit-2-million"}]},{"content":"On June 17-18, 2026, a separate attacker (identified by on-chain analysis as address 0x695...78e97f) exploited the deprecated Aztec Private Rollup Bridge contract at address 0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba, draining approximately $2.165 million. Assets removed included 1,158 ETH, 150,000 DAI, and approximately 0.47 renBTC, across three rapid transactions. According to analysis by SlowMist and BlockSec, the vulnerability resided in the contract's emergency escapeHatch withdrawal mechanism: the function lacked adequate access controls and did not verify ownership of funds, instead relying on proof data that an attacker could manipulate by setting specific proofId and publicOutput parameters during brief windows when the hatch was open. BlockSec characterized the root cause as a 'public input binding issue,' the same class of vulnerability as the June 14 Aztec Connect attack. This deprecated Private Rollup Bridge had been sunset in 2021-2022 and similarly remained immutable, preventing any remediation. CoinJournal reported the combined total loss across both products over the three-day window at approximately $4.25 million.","heading":"Third Exploit: Private Rollup Bridge EscapeHatch Drain (June 17-18, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"},{"credibility":2,"name":"Aztec Network hit by second hack this week as escapeHatch drained of $2M — Protos","type":"news_article","url":"https://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/"},{"credibility":2,"name":"Aztec Network Exploit: $2.16M Drained From Deprecated Bridge — TronWeekly","type":"news_article","url":"https://www.tronweekly.com/aztec-network-exploit-2-16m-drained-from/"},{"credibility":2,"name":"Aztec Hit by Second $2.1M Hack in Days as Bridge Drained — CoinLaw","type":"news_article","url":"https://coinlaw.io/aztec-second-2-1m-hack-private-rollup-bridge/"}]},{"content":"Security analysts including BlockSec, SlowMist, and CertiK identified a shared underlying vulnerability class across both exploited products: public input binding issues in the zero-knowledge proof verification systems. In the Aztec Connect case, the contract's verification circuit accepted a group of 32 transaction rows as a single proof, while the settlement layer only processed up to numRealTxs rows. An attacker could craft a proof where row 0 was a legitimate transaction and row 1 was a fraudulent deposit; the verifier passed the combined proof, but settlement skipped row 1, meaning funds were credited without being collected. In the Private Rollup Bridge case, the escapeHatch function's verification did not enforce ownership of the claimed funds and could be manipulated by crafting specific proofId and publicOutput parameters. Both contracts were immutable at the time of the attacks, precluding any on-chain patch. Halborn published a detailed technical breakdown of the June 2026 attacks.","heading":"Technical Root Cause: Public Input Binding Flaw","severity":"critical","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Explained: The Aztec Connect Hack (June 2026) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-aztec-connect-hack-june-2026"},{"credibility":2,"name":"Aztec Network hit by second hack this week as escapeHatch drained of $2M — Protos","type":"news_article","url":"https://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/"}]},{"content":"Aztec Labs issued an official incident post on its blog shortly after the June 14 attack. The statement emphasized that the organization holds no control over the affected contracts, as all administrative roles and upgrade authority were renounced on-chain in April 2024 following approximately one year of advance notice to users. Aztec Labs stated: 'Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.' The Aztec Foundation separately confirmed: 'There are no links between this product and any smart contracts related to the current network or the AZTEC ERC20 token.' The team also noted that the zk-proof system itself was not compromised — the flaw was in the settlement code's interaction with verified proofs, not in the cryptographic primitives. No recovery of funds was pursued, as the contracts are fully immutable. The AZTEC token reportedly increased approximately 5% in the period following the incident announcement, as markets interpreted the limited contagion to the current network.","heading":"Aztec Labs and Aztec Foundation Response","severity":"medium","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":2,"name":"Aztec Network Exploit: $2.16M Drained From Deprecated Bridge — TronWeekly","type":"news_article","url":"https://www.tronweekly.com/aztec-network-exploit-2-16m-drained-from/"}]},{"content":"Protos reported that the June 17-18 Aztec Private Rollup Bridge attack was the 14th bridge-related exploit in 2026, with cumulative losses across all bridge hacks that year exceeding $340 million at the time of publication. The Aztec incidents illustrate a recurring risk pattern: deprecated smart contracts retaining live token balances long after administrative controls are relinquished, creating an exploitable honeypot scenario where vulnerabilities cannot be patched and funds cannot be recovered. Security practitioners have noted that the proper wind-down of a smart contract system should include draining all residual funds to user-controlled addresses before renouncing admin keys, a step that was apparently not fully completed in either Aztec product.","heading":"Broader Context: Bridge Exploit Landscape","severity":"medium","sources":[{"credibility":2,"name":"Aztec Network hit by second hack this week as escapeHatch drained of $2M — Protos","type":"news_article","url":"https://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"}]},{"content":"Both Aztec Labs and the Aztec Foundation confirmed that neither the current Aztec Network nor the AZTEC ERC-20 token are connected to, or were impacted by, the exploited contracts. The current Aztec Network, which focuses on private smart contracts using a separate architecture, operates entirely independently. No funds from the current ecosystem were at risk, and no operational disruption to the active Aztec network was reported. Users who had already withdrawn from Aztec Connect prior to the exploits were unaffected. The incidents are therefore scoped to legacy users who had not fully withdrawn their funds from the deprecated systems before the contracts became immutable.","heading":"Impact on Current Aztec Network","severity":"low","sources":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Network's Private Rollup Bridge Exploited for $2.16M — NamecoinNews","type":"news_article","url":"https://www.namecoinnews.com/aztec-private-rollup-bridge-loses-2-16m/"}]}],"sources_used":[{"credibility":1,"name":"Aztec Connect Incident — Aztec Labs (official post-mortem)","type":"official","url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"credibility":2,"name":"Aztec Connect Drained of $2.1M Through Deprecated Contract — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/aztec-connect-deprecated-contract-exploit-2-1m-zk-proof"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"},{"credibility":2,"name":"Aztec Network hit by second hack this week as escapeHatch drained of $2M — Protos","type":"news_article","url":"https://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/"},{"credibility":2,"name":"Explained: The Aztec Connect Hack (June 2026) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-aztec-connect-hack-june-2026"},{"credibility":2,"name":"Aztec Connect's abandoned smart contract exploited for $2M — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"credibility":2,"name":"Aztec Network Exploit: $2.16M Drained From Deprecated Bridge — TronWeekly","type":"news_article","url":"https://www.tronweekly.com/aztec-network-exploit-2-16m-drained-from/"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect Contracts — The Merkle News","type":"news_article","url":"https://themerkle.com/attacker-drains-2-1-million-from-deprecated-aztec-connect-contracts-in-ethereum-exploit/"},{"credibility":2,"name":"Aztec Hit by Second $2.1M Hack in Days as Bridge Drained — CoinLaw","type":"news_article","url":"https://coinlaw.io/aztec-second-2-1m-hack-private-rollup-bridge/"},{"credibility":2,"name":"Aztec Network's Private Rollup Bridge Exploited for $2.16M — NamecoinNews","type":"news_article","url":"https://www.namecoinnews.com/aztec-private-rollup-bridge-loses-2-16m/"},{"credibility":2,"name":"Aztec Connect Hit by $2.1 Million Exploit in Old Contract — CapWolf","type":"news_article","url":"https://capwolf.com/aztec-connect-hit-by-2-1-million-exploit-in-old-contract/"},{"credibility":2,"name":"Aztec Hit Again: Another $2.16 Million Drained — Coinpedia","type":"news_article","url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"},{"credibility":2,"name":"Aztec Exploit Drains $2.19M From Dormant Privacy Protocol — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/15/aztec-exploit-drains-2-19m-from-dormant-privacy-protocol/"}],"summary":"In June 2026, two separate deprecated Aztec infrastructure contracts on Ethereum were exploited within one week, draining a combined total of approximately $4.25 million. The first exploit, on June 14, targeted the legacy Aztec Connect rollup contract via a proof verification mismatch; a follow-on second attack on June 15 drained residual funds. A third, separate exploit on June 17-18 hit the deprecated Aztec Private Rollup Bridge's escapeHatch function. Aztec Labs stated it had renounced all admin keys over the affected contracts in April 2024 and that the incidents had no connection to the current Aztec Network or AZTEC ERC-20 token.","timeline":[{"date":"2023-03-01","event":"Aztec Connect deprecated; bridge is scheduled for shutdown.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"date":"2024-03-01","event":"Aztec Connect sequencer operations formally cease.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"date":"2024-04-01","event":"Aztec Labs renounces all admin roles and upgrade authority over Aztec Connect contracts on-chain, rendering them fully immutable.","source":"Aztec Labs official post-mortem","source_url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"date":"2026-06-14","event":"At 12:26 UTC, attacker exploits proof verification mismatch in Aztec Connect rollup contract (0xFF1F2B4ADb9dF6FC8eAFecDcbF96A2B351680455), draining approximately $2.19 million in ETH, DAI, wstETH, and other tokens in a single transaction.","source":"Aztec Labs official post-mortem","source_url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"date":"2026-06-15","event":"Starting at 04:00 UTC, a second wave of 14 transactions drains approximately $88,000 in residual funds from the same Aztec Connect vulnerability, bringing total Aztec Connect losses to approximately $2.27 million.","source":"Aztec Labs official post-mortem","source_url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"date":"2026-06-15","event":"Aztec Labs publishes official incident post confirming the exploits and clarifying that no connection exists to the current Aztec Network or AZTEC ERC-20 token.","source":"Aztec Labs official post-mortem","source_url":"https://aztec-labs.com/blog/aztec-connect-incident.html"},{"date":"2026-06-17","event":"Attacker (0x695...78e97f) exploits escapeHatch function of the deprecated Aztec Private Rollup Bridge contract (0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba), draining approximately $2.165 million in ETH, DAI, and renBTC across three transactions.","source":"TronWeekly / Protos","source_url":"https://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/"},{"date":"2026-06-18","event":"Combined total losses across both Aztec product exploits reach approximately $4.25 million. Security firms SlowMist, BlockSec, and CertiK confirm shared root cause: public input binding flaws in zk-proof verification.","source":"CoinJournal","source_url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"}]},"v":1}Verify offline (run on your own machine)python -m src.verify_decision 2d8ebcf9-f924-4bee-8aaa-7def4eee9c0c
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine —
python -m src.verify_decision <event_id>.