Skip to main content
Sign in
Aztec Deprecated Private Rollup Bridge Exploit (June 2026)1 decision on this page

Audit log

Every state-changing event for Aztec Deprecated Private Rollup Bridge Exploit (June 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-25 17:12:33Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 428,848,620
    sig
    f4pnisrjdgJL…GJMmzUUvexplorer ↗
    hash
    DRB6qnVydp2t…jQv85GRJsha256 → base58
    verifying row…full verify ↗
    canonical bytes (18948 B) ▸
    {"actor":"system:backfill","investigation_id":"b755b7f4-b846-4f89-8a0c-65c134a177e4","kind":"publish","page_slug":"aztec-deprecated-private-rollup-bridge-exploit-june-2026","published_at":"2026-06-25T17:12:33.868Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Aztec Deprecated Private Rollup Bridge Exploit (June 2026)","sections":[{"content":"Aztec Network, a privacy-focused ZK-rollup protocol on Ethereum, suffered two successive exploits of its legacy deprecated contracts in June 2026. The first attack on June 14 targeted Aztec Connect's RollupProcessorV3 contract, which had been shut down in March 2023 but remained deployed on Ethereum holding residual user assets. A second, unrelated attacker exploited the Aztec Private Rollup Bridge's escapeHatch() function on June 17, 2026 — a product that had been closed approximately four years prior. Combined losses across both incidents exceeded $4.3 million. Both Aztec Labs and the Aztec Foundation confirmed that the exploited contracts have no connection to the active Aztec network, any current smart contracts, or the AZTEC ERC-20 token.","heading":"Overview","severity":"high","sources":[{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"},{"credibility":2,"name":"Legacy Aztec Contracts Drained $4M in ZK-Proof Exploits — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/legacy-aztec-contracts-drained-4m-in-zk-proof-exploits-active-network-unscathed"}]},{"content":"On June 14, 2026, an attacker exploited a settlement boundary vulnerability in the deprecated Aztec Connect RollupProcessorV3 contract. According to SlowMist's post-mortem, the root cause was a mismatch between the ZK-proof's 32 public input slots and the Layer 1 settlement contract, which processed only the first slot based on an attacker-controlled parameter. This discrepancy allowed the attacker to create forged Layer 2 balances in slots that L1 validation did not inspect, then withdraw those forged balances from the real L1 liquidity pool.\n\nThe attack was executed via 14 consecutive processRollup() calls within a single atomic transaction. The first seven rollup calls created unsupported L2 balances using forged deposits; the following seven calls withdrew those balances from the L1 pool. The attacker's externally owned address (0x0f18...edd17) had previously been funded via Tornado Cash.\n\nAssets drained in the first exploit: approximately 909 ETH (~$1.565 million), 270,513 DAI, 167.89 wstETH (~$357,000), and smaller amounts of yvDAI, yvWETH, LUSD, and yvLUSD — totaling approximately $2.19 million. As of June 15, 2026, the stolen assets remained unlaundred in the attacker's wallet.","heading":"First Exploit: Aztec Connect (June 14, 2026)","severity":"critical","sources":[{"credibility":2,"name":"SlowMist Details Root Cause of $2.19M Aztec Connect Exploit — CryptoTimes","type":"research","url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"credibility":2,"name":"Aztec Connect Exploit Drains $2.19M From Deprecated Protocol — Cryip","type":"news_article","url":"https://cryip.co/aztec-connect-exploit-drains-2-19m-from-deprecated-protocol-aztec-network-safe/"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect in Proof Verification Exploit — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/attacker-drains-2-1-million-from-deprecated-aztec-connect-in-proof-verification-exploit/"},{"credibility":1,"name":"Aztec Foundation official statement on June 14 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2066175938887619055"}]},{"content":"Three days after the Aztec Connect exploit, a second attacker drained approximately $2.16 million from the Aztec Private Rollup Bridge — a product originally launched in 2021 and closed in 2022, roughly four years before the June 2026 attack. The vulnerability resided in the RollupProcessor.escapeHatch() function, which lacked access controls such as an onlyOwner modifier, rollup provider authorization, or signature verification.\n\nThe escape hatch mechanism was originally designed as a safety release valve for users to exit under specific conditions. Because the rollup size could be set to zero, the verification process accepted an escape-hatch proof and relied entirely on public withdrawal inputs supplied by the caller. Since ownership and withdrawal balances were not independently validated, the attacker was able to execute unauthorized withdrawals from the RollupProcessor contract.\n\nAssets drained in the second exploit: approximately 1,158 ETH, 150,000 DAI, and approximately 0.47 renBTC — totaling approximately $2.16 million USD. The Aztec Foundation noted in its official statement that the product 'was deprecated 4 years ago' and that 'there are no links between this product and any smart contracts related to the current network or the AZTEC ERC20 token.'","heading":"Second Exploit: Aztec Private Rollup Bridge (June 17, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Aztec Network Exploit: $2.16M Drained From Deprecated Bridge — TronWeekly","type":"news_article","url":"https://www.tronweekly.com/aztec-network-exploit-2-16m-drained-from/"},{"credibility":2,"name":"Aztec Network's RollupProcessor Exploited for $2.21 Million — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"credibility":1,"name":"Aztec Foundation official statement on June 17 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2067511967237939636"},{"credibility":2,"name":"Aztec Hit by Second $2.1M Hack in Days as Bridge Drained — CoinLaw","type":"news_article","url":"https://coinlaw.io/aztec-second-2-1m-hack-private-rollup-bridge/"}]},{"content":"Both exploits took advantage of immutable smart contracts that remained deployed on Ethereum after their associated products had been deprecated and service discontinued.\n\nExploit 1 (Aztec Connect, June 14): The ZK-rollup settlement boundary bypass involved a discrepancy between the ZK-SNARK circuit's 32 public input slots and the L1 contract's validation logic. The circuit lacked constraints on unused slots, meaning the L1 contract processed only attacker-controlled portions of the proof. This produced a L1/L2 state discrepancy in which forged deposits were accepted by the L2 rollup while remaining invisible to L1 validation. The attack required 14 processRollup() calls in a single atomic transaction: seven to mint synthetic L2 balances, seven to drain the real L1 pool.\n\nExploit 2 (Private Rollup Bridge, June 17): The escapeHatch() function was designed as an emergency exit for users, but it was deployed without access controls. When the rollup size was set to zero, the verification flow fell back to accepting caller-supplied withdrawal inputs without independently verifying ownership or balance state. SlowMist attributed this to weak escape hatch checks that enabled manipulation of withdrawal proof data.","heading":"Technical Analysis: Attack Vectors","severity":"critical","sources":[{"credibility":2,"name":"Analysis of the $2.19M Asset Theft from Aztec Connect — SlowMist on Medium","type":"research","url":"https://slowmist.medium.com/analysis-of-the-2-19-million-asset-theft-from-aztec-connect-d867c59b1fc6"},{"credibility":2,"name":"Explained: The Aztec Connect Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-aztec-connect-hack-june-2026"},{"credibility":2,"name":"Aztec Connect Hacked for $2.19M via ZK-Rollup Vulnerability — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/aztec-connect-hacked-for-2-19m-via-zk-rollup-vulnerability"}]},{"content":"Following the first exploit on June 14, Aztec Labs stated: 'Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.' The Aztec Foundation separately confirmed that the affected contracts bore no relation to the AZTEC ERC-20 token or the current Aztec network.\n\nAfter the second exploit on June 17, the Aztec Foundation stated: 'The Aztec Foundation was made aware of a potential exploit targeting a deprecated product which occurred on June 17, 2026. There are no links between this product and any smart contracts related to the current network or the AZTEC ERC20 token. The product was deprecated 4 years ago.'\n\nAztec Labs explained that the design decision to renounce administrative access was intentional — made to prioritize decentralization and user privacy — but acknowledged that this made it impossible to patch or pause the contracts when vulnerabilities emerged. No recovery mechanisms were available and no funds were recovered.","heading":"Official Response from Aztec Labs and Aztec Foundation","severity":"medium","sources":[{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":1,"name":"Aztec Foundation statement on June 14 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2066175938887619055"},{"credibility":1,"name":"Aztec Foundation statement on June 17 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2067511967237939636"}]},{"content":"Both Aztec Labs and the Aztec Foundation have emphasized that the exploited contracts are entirely separate from Aztec's active network and token infrastructure. The Aztec Connect product was deprecated in March 2023; the Private Rollup Bridge was deprecated approximately in 2022. The AZTEC ERC-20 token and current Aztec network smart contracts were reported to be unaffected by both incidents. Multiple independent security and news sources confirmed this isolation. The current Aztec network (as of June 2026) uses different infrastructure and is considered architecturally distinct from the deprecated legacy contracts.","heading":"Scope and Isolation: Current Aztec Network","severity":"low","sources":[{"credibility":2,"name":"Aztec Exploited Twice in Three Days as Attackers Drain Over $4M — NullTX","type":"news_article","url":"https://nulltx.com/aztec-exploited-twice-in-three-days-as-attackers-drain-over-4m/"},{"credibility":2,"name":"Legacy Aztec Contracts Drained $4M in ZK-Proof Exploits — Active Network Unscathed — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/legacy-aztec-contracts-drained-4m-in-zk-proof-exploits-active-network-unscathed"}]},{"content":"The dual Aztec exploits illustrate a systemic risk in DeFi and ZK-rollup design: immutable contracts that remain deployed on-chain after product deprecation continue to present an attack surface as long as they hold user assets. In Aztec's case, the design decision to renounce admin keys — intended to strengthen privacy and decentralization guarantees — became a liability when vulnerabilities were later discovered. There was no mechanism to pause, upgrade, or drain the contracts to safety.\n\nSecurity researchers have noted that protocols deprecating products should either ensure that all residual user assets are fully withdrawn before renouncing admin controls, or should implement timelocked emergency mechanisms that survive product shutdown. The consecutive exploits targeting two different deprecated Aztec products within a three-day window suggest that once one attack succeeds, threat actors rapidly probe adjacent legacy contracts for similar weaknesses.","heading":"Broader Implications: Deprecated Contract Risk","severity":"high","sources":[{"credibility":2,"name":"Aztec Suffers Second $2.15M Exploit in Less Than a Week — CoinPaper","type":"news_article","url":"https://coinpaper.com/32030/aztec-suffers-second-215m-exploit-in-less-than-a-week"},{"credibility":2,"name":"Aztec Hit Again: Another $2.16 Million Drained Just Days After Previous Exploit — CoinPedia","type":"news_article","url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"}]}],"sources_used":[{"credibility":1,"name":"Aztec Foundation official statement on June 14 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2066175938887619055"},{"credibility":1,"name":"Aztec Foundation official statement on June 17 exploit — X (Twitter)","type":"official","url":"https://x.com/aztecFND/status/2067511967237939636"},{"credibility":2,"name":"SlowMist Details Root Cause of $2.19M Aztec Connect Exploit — CryptoTimes","type":"research","url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"credibility":2,"name":"Analysis of the $2.19M Asset Theft from Aztec Connect — SlowMist on Medium","type":"research","url":"https://slowmist.medium.com/analysis-of-the-2-19-million-asset-theft-from-aztec-connect-d867c59b1fc6"},{"credibility":2,"name":"Explained: The Aztec Connect Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-aztec-connect-hack-june-2026"},{"credibility":2,"name":"Aztec Network's RollupProcessor Exploited for $2.21 Million — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":2,"name":"Aztec Connect Hacked for $2.19M via ZK-Rollup Vulnerability — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/aztec-connect-hacked-for-2-19m-via-zk-rollup-vulnerability"},{"credibility":2,"name":"Legacy Aztec Contracts Drained $4M in ZK-Proof Exploits — Active Network Unscathed — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/legacy-aztec-contracts-drained-4m-in-zk-proof-exploits-active-network-unscathed"},{"credibility":2,"name":"Aztec Hit Again: Another $2.16 Million Drained Just Days After Previous Exploit — CoinPedia","type":"news_article","url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"},{"credibility":2,"name":"Aztec Exploited Twice in Three Days as Attackers Drain Over $4M — NullTX","type":"news_article","url":"https://nulltx.com/aztec-exploited-twice-in-three-days-as-attackers-drain-over-4m/"},{"credibility":2,"name":"Aztec Network Exploit: $2.16M Drained From Deprecated Bridge — TronWeekly","type":"news_article","url":"https://www.tronweekly.com/aztec-network-exploit-2-16m-drained-from/"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect in Proof Verification Exploit — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/attacker-drains-2-1-million-from-deprecated-aztec-connect-in-proof-verification-exploit/"},{"credibility":2,"name":"Aztec Suffers Second $2.15M Exploit in Less Than a Week — CoinPaper","type":"news_article","url":"https://coinpaper.com/32030/aztec-suffers-second-215m-exploit-in-less-than-a-week"},{"credibility":2,"name":"Aztec Connect Exploit Drains $2.1M from Deprecated Ethereum Bridge — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/15/aztec-connect-exploit-2-million"}],"summary":"In June 2026, two separate exploits drained a combined total of over $4 million from deprecated Aztec Network smart contracts — Aztec Connect on June 14 ($2.19M) and the Aztec Private Rollup Bridge on June 17 ($2.16M). Both contracts had been shut down years earlier but remained immutable and on-chain, custodying residual user assets with no administrative override capability.","timeline":[{"date":"2022-01-01","event":"Aztec Private Rollup Bridge launched (approximate year; deprecated approximately 2022)","source":"Aztec Foundation statement via X","source_url":"https://x.com/aztecFND/status/2067511967237939636"},{"date":"2023-03-01","event":"Aztec Connect deprecated; team renounces admin keys, contract remains immutable and on-chain","source":"Aztec Labs statement via Cryptopolitan","source_url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"date":"2026-06-14","event":"First exploit: attacker (funded via Tornado Cash, address 0x0f18...edd17) drains approximately $2.19M from Aztec Connect RollupProcessorV3 via ZK-SNARK settlement boundary bypass across 14 consecutive processRollup() calls in a single atomic transaction","source":"SlowMist analysis via CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"date":"2026-06-14","event":"Aztec Foundation issues official statement distancing current network and AZTEC ERC-20 token from the Aztec Connect exploit","source":"Aztec Foundation — X (Twitter)","source_url":"https://x.com/aztecFND/status/2066175938887619055"},{"date":"2026-06-15","event":"SlowMist publishes detailed root cause analysis of the $2.19M Aztec Connect exploit, identifying ZK-proof settlement boundary mismatch as the core vulnerability","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"date":"2026-06-17","event":"Second exploit: attacker drains approximately $2.16M (1,158 ETH, 150,000 DAI, ~0.47 renBTC) from the deprecated Aztec Private Rollup Bridge via unprotected escapeHatch() function lacking access controls","source":"Aztec Network's RollupProcessor Exploited for $2.21 Million — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"date":"2026-06-17","event":"Aztec Foundation issues second official statement confirming deprecated product status and absence of links to current network or AZTEC ERC-20 token","source":"Aztec Foundation — X (Twitter)","source_url":"https://x.com/aztecFND/status/2067511967237939636"},{"date":"2026-06-18","event":"Combined losses from both exploits reported at over $4 million; no funds recovered; current Aztec network confirmed unaffected","source":"CoinJournal","source_url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision ac462508-c931-49e8-b126-37879c6b2393
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.